23542300x8000000000000000354097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:49.735{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C32846EA13F36CAF3B33745D53D11E,SHA256=AD87207D36A8DEF39B6AAEC5147525EEFAD02D68F4CC4CFCDEF933D7D1C3EFD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.839{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.681{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.508{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=06806E82E7094721F6D79BC46AD3C421,SHA256=5546A210F36AD15932B695B5BF425FCC282B453DA9A02AFC50EF794F4D581C80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.214{EFF5EEA8-7A3D-6352-6C06-000000008C02}9723120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.060{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830394697FFB145E353C15604F9681B3,SHA256=7939919D8B108AED6086F88149A7BD1C76E171E5474F30343A7D2F27F2E62754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:50.786{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196A18E52459D1904859717DF4B950A6,SHA256=856AAC1B73F8DEE6B08D271C47F0C9A760AB3639A9949E078322C7E8F0E6D1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:50.258{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4293D80EFD1BA6C8D4947D8AA3848643,SHA256=3AA4A287071202DCC3A0509A6AABD588EDACB506DFAF12029DE144BCB234B33C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:47.854{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59791-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:51.842{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129DA1224102F60A465B513B464F544A,SHA256=46197EF116A393FABCC963B7F8744FE0A57771926E94F1D83BD38F8B08FE7BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.997{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.996{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.983{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.951{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.898{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.870{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.864{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.849{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.824{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000235347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.392{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D5FCE189DE2E0AB435C727A5DCADEB,SHA256=B2A3D6A2D4B9497F3E9729CD3442271DFF048E748D07091FD1F01EB71E7678A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:52.912{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39580EABB8418005F217A77F67D7AB1E,SHA256=D3A7CBD089B9C2DCB3E938361DA9E85E609ECB2D915BF5D0A40E98C0BD36F2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.627{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD9D585462C9D4730D356B5F3D84DA3,SHA256=964C6AEE9D713613E783AD6528EF06212C5B9EEDA03AB944B1C5BAE1DFB6D0E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.007{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.005{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000354102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:53.974{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6555659C77DA5BDB62A4054E99E24FB,SHA256=64D815194A7BA02575F81DE5FB97C7F2D5C566F0EA42AA2DFFA84A543E96F670,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.316{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52178-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:53.661{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64616BC8625C5330D3A590701C9CE95A,SHA256=7664C5DB3D81C849EF232996F83E9880BBB04381D3CB2DB3F4B7DE97A152D3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:54.750{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726CB5CF8A905D0213937FA8AC4F0B44,SHA256=3B14CFD699A22698930463E2C382A0C6E57C5F26FF46196B6627465C909D68C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:55.856{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B504472FCD1F2BF41C4A45C0BE24D1B5,SHA256=152A0360F290AF60B171C82079E6C16E25AC8EF68077E100247899521C484723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:55.016{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16B3880372268517CA7C8D31E3F47A6,SHA256=93C077906131B7B4863DAD5FF0239B3F67005ACBE4CF8883E3357D933BE2FEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:56.956{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BADEA0D154D08EF2AED97F6FC1E2D44,SHA256=6D49755D8DE46810F33BDAB09665FE2D70AA1BBBA8C10CD696D5006D2C6251CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:53.836{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59792-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:56.078{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E5C2C888F640B785F35255AE9FD318,SHA256=7B3DF04CB0BA518135034EC2C66DA1967728C8FDE80EF0B0DD75A964596BF2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:57.121{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC759C2814D5A5030703EEB53FDA0F1,SHA256=B7991512A36CC09409C59B354072F9B6C09BE9E412DCD4EECE701E9EEC0E6362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:58.183{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3975B7139C616838165FD953147CE22B,SHA256=090E816EA3C43AB48A738EBD8A9B5711AFF251BE2E6778C342844386396E0BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:58.042{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BF01BB855B164D2C8DE33032BB14ED,SHA256=D781316465960FA148E9628B469FAF915754BE6B22A2565199CA34E4BA79688F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:59.325{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824661944F0401D9B75F54C49F42F079,SHA256=FDB938B9A5AAE612D4E8D54BABB7E8A0FB742A66AE65710F5DFC08B3FEE955F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:59.139{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1415E8153A47E8AA26FD49C4EA1D6CE5,SHA256=EFFB49DDEA8D7A4C5B01F3F017C20E6299FECAF7E99CE53E9231645498AE5DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:00.385{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86321D42C652DFC26CA956F3890BAB7,SHA256=D5632641829133A1B60C42F94AF34F79277BDE35EC95454C8690B2E3A600DF72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:00.230{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FEA79B9AAB62BFEC8B6781F5FEEAD3,SHA256=659E58BAB1434509DA1482482AE58A3FBB4E04EEDBA40B9A5390C759D336C879,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:57.292{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52179-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:01.486{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9245CC890C817E05F31224A097925711,SHA256=6C5745878F03CB00737093EAD67A8F11EEE42F9922C65E4E6BCE22CC6EBCE8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:01.305{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C140E7278036C97AAFADC7334559A71,SHA256=0E06B4C992103FADDC86EF5B6BD8A2A62477194A42345C925F39D7DA22851636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:01.127{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0238A15C2814A0B770C27861A5629470,SHA256=8D2C8E00C2F26F3CB718BDF2578F10B93A8AE61F6C3B2BB82D139CE148002A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:02.556{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318979F0ED867296A9D37D3C1705633F,SHA256=78F7CA2EF260696F2B8CC897DF40061950EE10665DC7642840DDE59EF230AC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:02.399{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FD489FF3C88CC80E34F5F3CDAA60F7,SHA256=C5D16979B0F10E345722C1208939B804C19A94BAA5A29B47B15F1D1EA18124FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:59.760{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59793-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.960{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9039CF83501EB6EA43F495857FF8458B,SHA256=9D260CE797094F7CD64EFC40AC5790D6FF2F50B79E794DF9C695BE46145B3A6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.870{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.864{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.861{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.855{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.853{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.832{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.823{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.820{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.817{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.814{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.803{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.796{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.770{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.752{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.735{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.717{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.679{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.660{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.642{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000354118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.632{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED1A82F35E6C493841E6AE11E8DE787,SHA256=42CA4DB85F751540C4668EB5EECC333AEB94D555E2D483DF7BF00BCA07C21685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.623{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.595{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:03.493{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E87F7B571FE24B099890839D50AE2F,SHA256=8CCEF3EEF99DF4FC230B1F735D125D055465B2D1F5AB073F500897833BD965D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.550{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.547{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:04.573{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFC313290BCA06A76651DA5BA41EFA5,SHA256=3452ACFB89C5B8C6159641BEB1A9B2874CBA892E4495E215A11DF2D4176CE062,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000354151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000354150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00c31e41) 13241300x8000000000000000354149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e533-0x0de4c4f2) 13241300x8000000000000000354148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e53b-0x6fa92cf2) 13241300x8000000000000000354147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e543-0xd16d94f2) 13241300x8000000000000000354146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000354145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00c31e41) 13241300x8000000000000000354144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e533-0x0de4c4f2) 13241300x8000000000000000354143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e53b-0x6fa92cf2) 13241300x8000000000000000354142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e543-0xd16d94f2) 23542300x8000000000000000354141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:04.658{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82F0FE0956656DA748A0D9688B26F5E,SHA256=9709DB0AEC7B99018CD7DE49E2F8BEFAB746873F2A46C0E20A6DCCE5DE11D7BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:04.332{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:04.329{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:05.879{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E4FBA125E8CFB83CB2A145B7AF63549A,SHA256=DC9B0AE838EC7CC0AFFB31A605A0FF09C3CC90F63764936FAEB58F276D774554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:05.651{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9CD9176FF755F862550E25F25EBE51,SHA256=D917852C2FFF4E2CFCDFD1D355DDE5CE1D5BB80D4E0F7CCA9E66FF412BA4542A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:05.760{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AF2A5556936A0F644994A98333857C,SHA256=D9C215762045B15491D751DD719657AC29A60B2B95BE32E159CC691F38A2E64C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:02.496{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52180-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:06.736{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C26FC73C948E6391578C3D57FC99E6,SHA256=2CDED1742572806436912081B133D500602BE6FD4385F90373567E19242D1253,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.981{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.974{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.972{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.969{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.954{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.945{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.920{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.915{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.902{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.897{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.895{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.886{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.884{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.883{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.880{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.879{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000354156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.862{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7FD70CC4479BB3D94030DC8A8ADB46,SHA256=2AB30A1E76042C1BB3EDF49D254E18DB5F3E5602749A609A86D9504BEAC033FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.364{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.363{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.361{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000354217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.966{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F3E532ECA39ECB29B0519E0C63B15E,SHA256=C2C64BEB7327CA67597D9D5758150755E088DEC190321C3C2A72B74A23CF071C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:07.809{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0F6397063EDBD841769FF4090F5647,SHA256=ED0DFB768E17336C4EB0AA774A1658553F2BBDFE02BA882B92DA99BB6515D205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.434{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE1A6750E3742168692A0A9C9CD8DC1,SHA256=FB14D6B3D9178C07896918649F59116D5DA23334867C1682FFDC5003370D4FD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.144{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.142{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.140{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.138{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.135{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.133{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.130{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.126{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.123{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.120{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.118{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.115{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.113{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.109{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.106{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.103{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.100{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.098{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.095{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.093{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.090{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.087{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.083{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.079{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.076{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.073{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.071{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.070{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.069{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.068{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.064{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.062{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.061{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.061{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.044{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.041{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.037{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.036{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.035{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.033{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.029{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.027{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.016{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:08.897{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2018D1CD8447EEAACEF7927686678EB9,SHA256=A06B0251AA383FF8CC33C6D42A614D626F6378F5A88F7F7B0E717665B7EA9661,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:05.782{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59794-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:09.972{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76AD97898650674EFAA8F5DC08A3313,SHA256=83FDC1A9CA1263CD7B7D7D62080BE04541F29AF406C1D5A5196869981AD9462A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:09.079{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3823A80E851C7AEEBCC0998C054F53,SHA256=A0B194B4F4311844BD109DB3DAA391E2A40A590270A375CC3B238B91ECB48311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:10.180{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B49A856D0107E2A95B1C92B75D392B,SHA256=5BFADBED1936C11583F54F2683A276452F0E804C464A925FA914555942216314,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:08.445{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52181-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:11.297{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C5BEEFAA4EA744D67E8F92B49EFBA1,SHA256=F39C5F7ED96B719E64973AA6213122B5BBCD0596D184D9A2FCAC03A94AFEA4AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.984{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.975{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.958{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.893{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.868{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.863{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.830{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.821{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000235399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.064{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A938437476B07F1B6360B8B0E9B0C86B,SHA256=85556A05EAA24CBCD32B28C3E2642D193AEB1F7F6672D4919959BF4390F896FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:12.315{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0738B4C59A1A1137DE0EB586D4159FD8,SHA256=230B297B80AC7BA273CD0D5335BB00683D4CD8990FD2A6CFAF3EE2038B97ACBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.306{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3FF4B0AE28E8AFD1136BBC1D0D04D1B,SHA256=03184D77E856BBAD2A3C2E7DC7C3608520A8BC94B42C05F672C95412A6E69355,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.018{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.015{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.013{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.009{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.004{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 354300x8000000000000000354224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:11.789{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59795-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:13.369{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4EE1B9A94BF9856A0C6407C31D0CDC,SHA256=9D1E7272EFA0E15D278149C9284B335AF34D68B4189CC654F025FEBEEA4144D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:13.333{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB242105DA1BE5AC7CE924E036F81B9F,SHA256=3472D60A9E2D522A94219EFAF1F0E37DFB01DABFF3CA07E56C68FC09C6047766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:14.470{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=445247CFBC162A8949B29F8F77DAA455,SHA256=053B8E28A524A5CA2A7C392BC645DCCC7A30D5985E1F1949C486D0023917F163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.431{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.415{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.407{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0FD06514CCE33F6E7AEF3A5ACFD715,SHA256=9BE7EC5B0D7FBA99DB3933AF5E80F3E3EF9FAB8790ECEAE62BFF55F7B5FD6213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:15.944{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RFc34949.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:15.544{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4618EE3A2E1630A225E3D5A98A8423B8,SHA256=7409045032A39BF967CE15D5C4EBE3F851552D5206A19A835F98AE05CA1AFB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:15.488{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710D16988870359BC6F145F1627934A,SHA256=C485E324A488271B426F3804C39EC696CC2850934D4B34CF974CC0C7D699026B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:15.021{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA6DCA7795440314F127D0E253F166F5,SHA256=8E5D68AA120742D479133757EC360342375D4EF4AAF9B8FDD43CA96DDA706080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:16.622{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F6726A08A0251BE9933FFBAB121809,SHA256=B6EE5A52B4921CEE5EBD8DBE18055B64540B2B6372EAF05A5818A2C8FD6A0C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:16.573{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9100F140DB696D5F6B49FB00BB8F2BA,SHA256=8037F76485E205E466A33B80C55727598BB7061492C6F5A7B137F309EE5D7A4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:13.464{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52182-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:17.746{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7A759BE82C31D7F343E1F060AD0521,SHA256=008488DB9B29A849C2D01938DCDE9082ED8FE3D534DF1336CD992D346CAF9A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:17.660{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A755139E032599262099214FB371AAD,SHA256=0A3AFF499788132F37005EF45B6E1C3EF2DD81A78646D459920A2B96AC5856A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:18.774{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCD0B09E11DA7645CC5D1BE9C4A3A32,SHA256=2501DA15753EB11F252E12FF4528768D99B982FD75B5FF01BD6089C7B16E0B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:18.771{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4884F71FD1454F1995E3FD1D28BDB5AF,SHA256=B5377BE550FD070ED44D1F55357A42135F5B78490231BEB0B38760E445A991DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:19.865{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D679A6D6D39E744ED44DA8AC7525AFD,SHA256=CBCFEDAEE71D9EBC41400E726CF889D933663F8B1643AB30A3AC82BA107DBEB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:19.857{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDAA3728D91A63FEC009AE537BD3D4E,SHA256=4618802C8D9BBB93B644DF357F64250618A80E0A1FD9099CE3A03B26814A3A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:19.732{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6B45757ACEF90F80B9D549735D78A3F6,SHA256=C4F53D23E2DB1649F60E0ABB24A10AE332C2ACCCBF196998E7FFD1663EC9D79A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:20.937{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F23A10F07AA4EF2A36666D1DC8A138,SHA256=79A9AABBAB0606F64D00B2327862BEEC9F50DC5656A677B3E172539C11F7FC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:20.961{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED6BBC481CDAC97A7A311A0F22503E4,SHA256=1055A1DF2E719D80BBBA8724D06A5DF034A858D8E1697DB8CF459CF1D29DBB55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:17.827{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59796-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000235444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:19.433{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52183-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:22.031{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AE31F1ADB491212B302FA435A2AC2C,SHA256=6F52750C23C955DF44B13717339C365F6980D50F76F74C6D027245275E35EB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:22.028{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D80A5CC708E08819630519C448D8426,SHA256=DB1237838F2278B22ADC36B9D0094C97F6549322B470B9D512AEF1AD44D32128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.802{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.797{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.794{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.788{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.786{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.768{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.762{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.759{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.758{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.756{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.749{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.744{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.726{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.716{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.705{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.696{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.669{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.655{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.648{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.635{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.626{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.567{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.564{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000354236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.128{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1110D954089947DC5E546F4D7C83160,SHA256=F019D602917F1B4F718DC372D0228A3CD98696661A41DCE69413D0D4EB6A5450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:23.655{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-207MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:23.127{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0D13933310ADCBFF915253114BECA0,SHA256=1BF7CF17E56DB3AFF2BF2A96AD81968C556F4AF863298CC2D5D78575689DD69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:24.194{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CCC6825DF5B2977FE14494AF7141E9,SHA256=665069A5CCFD751D695717612CB00D4DAF5BEDDAAE0F050CCE2CF69BA1D9E1F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:24.188{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:24.185{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000235449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:24.665{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-208MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:24.195{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569A67B14387CECCC86CF9026A4F5F23,SHA256=A2B26830CDABFFA3D1FEED95AEFB7551BFB5720F738C4C5F4F5F0B27C486915C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.727{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59797-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:25.255{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0323500CB0A5ADD2B01E44BB8E200049,SHA256=1DDAF8CDAAD964822F994D8208561376AC2538FC7DCF56F9A4F3C94A93A2EAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:25.280{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F11A70CC3CB7250D47BB528BB2A7CD,SHA256=1C13271C876BBA95AF78ED75A0A0E013CE2DA13B030A5F3CC1CBDB4ABE460044,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.998{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.997{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.972{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.964{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.961{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.960{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.958{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.955{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.950{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.947{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.935{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.884{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.876{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.873{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.870{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.847{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.835{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.797{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.786{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.775{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.769{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.768{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.765{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.762{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.762{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.759{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.758{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000354272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.340{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D0E6726D281A4E8F17ADDDBE6E5175,SHA256=ADECBA7A64DF26F2AAABF3F954D6730D49F050606FDE12A04891ED40F42EEFDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:26.364{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59C3BC6768A8E4ECB6D7E4B2AE90CD1,SHA256=E6427594565CC71A35E93CB1E723493E426F3ADDFFB69C6C8974C492A6464824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.235{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.233{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.230{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.045{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.045{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.044{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.029{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.658{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181BB10886D063D10962FB67D65E790C,SHA256=8168916B27E53AD7A7B182F8C1734D14DC5ADC59B2419BF305689472A91255E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.658{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308077924ED24AAF7015BE6CAEDBE3F1,SHA256=6AF60743E3547C6353E1EE3D27828035FB652ED218679A18D036EF9496B9308C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:25.397{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52184-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:27.460{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4804B0EA9A9E64A565ED71B3CA687231,SHA256=8EABDBF1A81EA357EC1835C5A150D42B5E9B98CB21C7A42ED52A78C4A91C71E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.127{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.123{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.118{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.107{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.104{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.101{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.099{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.096{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.094{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.091{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.088{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.085{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.082{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.078{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.075{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.071{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.068{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.065{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.061{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.057{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.050{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.045{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.042{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.033{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.029{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.019{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.017{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.014{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.012{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.011{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.001{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.000{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000354357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.787{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AE5F5914FD680D4C2513985D38A9D1,SHA256=DBB64F64BB51E5E5203B8F60EB4A42EC10B0DB3A7EF2C08135CDBE9DE8007460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.704{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000235455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:26.358{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-62852-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000235454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:28.548{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AD3FB534C97DEFD7B8923E9ABE4425,SHA256=06FAB5E211F6CE805229C66252020341E17C799ABCC73C667110056DE1D5B327,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.288{30B46F62-7A64-6352-A307-000000008B02}991610208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.093{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.093{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.093{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.092{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.092{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.092{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.039{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.037{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.037{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.034{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.788{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA687F2940439A93EEED5630FE0EA42A,SHA256=066BBB5D8CF1DBCB38A1D7F4B2D4A5714113261B877A55EB354DDA5E8C6999E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:29.634{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A566DB841AA3D6E332491AD2A17BB31F,SHA256=0CDCC27DB06104D045097B9A129F6FAF462C254C4AC7BEAF86E10CDE8433F62B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.204{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.121{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=221E8B89ADFDA68FBA551D5D12CC375C,SHA256=9C50A22902AD5F7B91B7AD879D2BA8B42E26FA30C4B5803BD1D276426936A770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.105{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E54D6D9CAAD3FBC35174BCB3AD5E6EAA,SHA256=53754D874BC7B15DED523E371AE6759AC3521BE521CA9F62159D80851404EA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:30.905{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE463AA091978B1210AEBCE02C531A6D,SHA256=4693FEECE255AF17E02CC9A4B3805AB3710542E6A0A0028DD438DCB7779E2082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:30.723{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B52916194BA40990DD607597715410F,SHA256=A5B1221E5F12F6DB03F48D227078C3954712F3A2BF8ECA66918E4ABD22D7DE41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.993{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.981{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.975{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.951{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.881{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.860{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.847{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.829{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.826{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000235458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.816{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB2AF0F96B707A45C233BA2E5D6BD69,SHA256=F3ADFAB68CEE7ABA0C3CBBD828E6B215AA5475FD31044B80B0826B1B2B57441B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.605{30B46F62-7A67-6352-A607-000000008B02}101409384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000354379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.684{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59798-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000354378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.390{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.361{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E1016919AA2742F5B22C60F721785E09,SHA256=B581A476A12AF1C14915C774EF74D93BCD7A87E3A6732879ECAC6600C252D7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.837{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:30.468{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52185-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000235487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.033{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.031{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.029{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.025{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.023{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.022{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.021{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.019{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.016{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.013{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.004{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.003{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000354382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:32.793{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:32.023{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7BB58E2DD710DFEE3594E7050C5288,SHA256=85CE7B753B12580BBA016AD9F3E898550CA397A9B4B06FE7F25C5458CC9D031C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:33.860{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94CBC492F270850A0E1B50CEC2D8598,SHA256=F8715B0F7FC4D4CF262E1A654D1CA9856FC9D918B11D473D3EDD9BDC31CC8479,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.883{30B46F62-7A69-6352-A707-000000008B02}47606164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.694{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.093{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B400E61979191E47B44D0184C4D5E0DF,SHA256=9EF999A13F89E3F4998C190E51BBC492CF8A2A9D45B8B7ADCACBC534C1FC584C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:33.366{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE785899E7D672F9F1596AF857B5608F,SHA256=85965A73BF6443EC2CE86A3F797B25460275C80BA567912B0E52CB4ECD0CB84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:33.087{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575FB857F46C2C7F07F06F9257320812,SHA256=DBC371F8FA14061F7DBE14AAE000ED18CE1981F327603524EB1E9C45AB11D29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:34.956{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B5E95BB96C43BC4A307C78AA5A84B6,SHA256=DB3DF95580029679BD9EF5AB6A05161028EBAD927E836C1393B4C6DB99F9C266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:34.894{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=73B17AFD1392D917C89B9D42482C23A1,SHA256=3A9415DC3D9F2330C555BB4373A5BCB54E77E993E64499E490B0DE2DBDF6A304,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.868{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000354404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:32.388{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59799-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000354403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.610{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06840DF86667EDA8893B4828D5690256,SHA256=C725E726CDB3E060DD5530C01842237FA859B395543196202DDA2966E946540F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.610{30B46F62-7A6A-6352-A807-000000008B02}102127560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.367{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.109{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35BF16A583D544F06FC21962CC178FD,SHA256=CA2106FA5FD97B77FCDCDFD0804344F103C7399A1AD338521855D2CF0E1E9FC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.059{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52186-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000235496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:35.931{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A1F135E163BC34277FAEC4A2D81E64,SHA256=163D9090536932F399AEC398FD40A4A36116F06F256D7F830EA831FC5938488A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.163{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59800-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000354415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.163{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59800-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000354414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:35.431{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-207MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:35.220{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305584E65AE8F5A0C7A4C7D6F47239E5,SHA256=EC73D494FADAC04CA88A6E1E5F65CED72934ED6EBD7B9833F1B1C40EF56030E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.799{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59801-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:36.430{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-208MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:36.373{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1034A63DED79B99DBCC1AD6848908A25,SHA256=D23A5F26BE9C1D428FAE6A7B13EA0F7B7D3DC1B201106F1A005C3F69ADD4381B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:37.447{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9948ED4B12F01FFA49C4DFBBDF54CA9,SHA256=07AE59808E279EFF1C97E7BB7F55AE21A34C41EF45C17303FCE51886FCF1FE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:37.021{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431CC309AAE120CF5C3EED3C1D3CC7BD,SHA256=3F5E47C2014046CDF6F6BC0CDE511838EED6BB714E5D0F82D841206F0FB26C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:38.549{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83830E0D812E019595DA8ACB28E5B12F,SHA256=B3C8CB1224FFE5177FEAF960F2B8AA2F104823B025F8F1F162169EEEB3D76622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:38.113{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C6B682402E7C417F31ABCC09FBF894,SHA256=5CAAE322061DFD759A10BF20CDF28F1C37F774B768933A08E3F2D9D02491BC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:39.674{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71D699BBFD2A98416F0B85FE1965BFF,SHA256=6453B7BAB9C69426EEB9578039E6E550668E42CF406669255C7104D8546D0B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:39.191{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B92958298283A879349F32E92B35273,SHA256=400EBEAF7E7ADB8027A573782323AD51318FB7112CF5A3F96DDE0D2D74AF8A41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:36.333{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52187-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:40.804{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574BFE09A13255D19153D22420E88A48,SHA256=561FB5C5828E909638016B71855BDB2BDF70027C9A9222827317CC8AB428ABF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:40.280{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DCE3578B152DC68BB4D37B15D71676,SHA256=057D80687987BDC81202A6C11C8B01DB96C32801071CCD508E16A6C7C978A8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:41.921{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029823B77276AF6EE9798A8815DC29F1,SHA256=643D1D6D562C1A5ED2E119C64722AAF35CEF4BC3BA9965C35117B0C2D4078FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:41.354{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E0FE385E7D1578C1B0387E8F4D5E80,SHA256=3F6BBAF70CAD8D6DD3603841F55D3AEE18ED1E4147865C033F5BC4EF108E5A50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:39.809{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59802-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:42.421{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284BD61110A4A136967B3EC9E957E374,SHA256=E9C08D4A2A6539512D1DD5F92F119A2A52F5DA8663DF17C97938ECEC7123D8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:43.500{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980AC49F9996A6F263D502E32B73127B,SHA256=B9BFED4AB90CC6A932C2308BDAA6FCF056660B10AFA3D4F77B06CD71FA74DF4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.775{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.769{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.767{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.760{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.758{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.739{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.732{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.729{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.727{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.725{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.719{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.710{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.695{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.688{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.677{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.664{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.632{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.620{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.612{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.603{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.596{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.558{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.554{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.037{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F30467C21AE84039A63FB8E98DD7AE8,SHA256=A8A0AD98CCC8C6B35ADA6131B5E99354A22C3F9FF93A6B9EB24EC1BE4AB5AF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:44.590{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC89C1449E4CA40C7D5DC164ABF4DD86,SHA256=1C3B5A8806BEA59918208480D9081B19CD005293FEF3C049CD2FD743E75A1C81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:44.152{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:44.149{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:44.122{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1AD11B45DC68FC1B7637853A8BE4AA,SHA256=ABD21517667CA686920A75832EC07F347E0CA391A54F17DCF842ABB933FFF205,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.894{EFF5EEA8-7A75-6352-6E06-000000008C02}24881248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EA5C343EA12B52F731BB3AD4709CA4,SHA256=16A363C00C2FE23D71320C9BE572C509D50C667A24B514D22D4E014F64F46344,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.677{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:45.230{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2F63E5D17AD08D329C72BEDC725B18,SHA256=438189F61304D63AB06B7EB7B55BAD6FA13DC4B4B438167AC94EF6A2FFDB5A42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:42.363{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52188-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000235550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.841{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.762{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFAADAD769C044BF8F7BC7317B0EBE2E,SHA256=6C0BB8ED93E83687420D842DFE3B852C94298D93A502A9778A4AE2A06727CD64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.998{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.995{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.992{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.989{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.984{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.981{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.978{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.975{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.971{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.968{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.963{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.959{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.957{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.952{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.946{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.943{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.941{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.940{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.938{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.933{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.931{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.930{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.929{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.906{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.902{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.898{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.897{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.896{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.893{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.890{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.888{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.877{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.836{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.827{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.823{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.820{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.800{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.790{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.756{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.751{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.737{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.726{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.725{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.721{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.717{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.714{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.710{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.710{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.308{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE424D8E0063985375A8DDE3078A04D,SHA256=DEF7AA79EA11745D6E7E931BB2F626ADF5561CD64A06CDAE893F41CAB023C65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.603{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F21AFF2A3ED2BB60D8E909AFFF165BA7,SHA256=5137F74C4E4BACE29F7441A96100CCA6FEE93CBF1603CA5A2DAD11FCD35E5554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.345{EFF5EEA8-7A76-6352-6F06-000000008C02}30282764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.177{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000354456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.186{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.184{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.181{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000354553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:45.813{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59803-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.410{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204ADE9E35FD8A09EBA1DEFE3A9C0921,SHA256=95023AF43FF0D78147CD150E86FD60B2E01A5F9C7CD944A26B5215744C0F1F6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.666{EFF5EEA8-7A77-6352-7106-000000008C02}26481084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.012{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B9E354CE1ABE45696EE896636F1F4F,SHA256=B04F2129F018902ACB0617ECC79090CAA705A55FF8D3903CCAA5711082463C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.226{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A228F8D0DB1ED75AC55C0ABB687D75,SHA256=DD6A39D38A3ECD6AB34835922334771661566074E7ABF4BBE9AF43F363066AAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.044{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.044{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.044{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.044{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.042{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.042{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.042{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.042{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.042{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.041{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.041{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.038{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.034{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.031{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.026{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.022{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.017{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.014{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.011{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.008{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.004{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.001{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:48.528{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD22605B20C1B8548B0CE658A5B60A40,SHA256=0FC4BA902C6FADA7CFB59EC913F5472D106E71DE19852E63C6C96267076D9343,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A78-6352-7306-000000008C02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7A78-6352-7306-000000008C02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A78-6352-7306-000000008C02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.815{EFF5EEA8-7A78-6352-7306-000000008C02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000235586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.302{EFF5EEA8-7A78-6352-7206-000000008C02}19923348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A78-6352-7206-000000008C02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7A78-6352-7206-000000008C02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A78-6352-7206-000000008C02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.135{EFF5EEA8-7A78-6352-7206-000000008C02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078D1DCE049CFD0D9CB3AA14B945FDB6,SHA256=B434C38178243CC8A87F867AD311ADC546A60D15F712E1E031AB8932536770FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.904{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5744D27E848EF6AD22CEA17DA8CBE625,SHA256=1F38A7ACCDC79870E036631908223C5B948CFD3272B2FA09B23BACDC4A1F8AC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A79-6352-7406-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7A79-6352-7406-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A79-6352-7406-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-7A79-6352-7406-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.253{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A049B62EE7E873024813571C8EA3C1C,SHA256=48A0A10BE9E3BA60521008C193D10BEC9F9CDF8E6427654E61C809C8ADF3CADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:49.614{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7EFBCBF2B47809CB64158502C26510,SHA256=ED6585D348938AF4081131DAE10D7664A366383CF62D9B87676F7B90303382D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:50.589{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5317F6500645D76E74DE7407E8F014,SHA256=6FFB08E15D8872D3DC21295BDD81037115D6CC3B7D1A4C90B9D1970B8888F7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:50.715{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA49C9F318E7DF0AD2384F0CB687B3E,SHA256=7460E4D2802B2CFAEF7569A94DD5968D73DCE0F2FA1635E5022660C612C26A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.945{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.882{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.869{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.858{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.849{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.823{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.820{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000235617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.686{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8EB183696EA48000CF984A85DE5ECF,SHA256=4554F0B5E73068D9BD262BB76EDC5DA2739A56C38957EBA4C06E77DD17B156F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:51.832{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D02F7C29529A0AEBA177A44E36CB0B0,SHA256=B350B8205C6CB23D0B2EA69B97F6D48D75D50C5E3D00D548638F8B7EB2C4B6D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.297{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52189-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:52.850{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2784A7D1D17197F7D50A3C3EDE621D6,SHA256=AD1A87FDD72E4D985516AA8D29F297E8C0FC23CBD0BF5C53DAD3C72B86DE64B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.039{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.037{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.035{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.033{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.032{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.030{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.029{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.028{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.023{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.020{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.012{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.009{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.007{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.998{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 354300x8000000000000000354560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:51.724{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59804-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:53.869{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F36D60EB691734135184022AFDDA732,SHA256=5742191A19AF6A818094E3086B128C7AE49C90132B840BF0103776DF184B3A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:53.077{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA8A04D2EA611E3C2E63D3F7FB37163,SHA256=88000E0EE1BB08BC49A3BB71CA44ABAEC883AE68B72E34107DCF665976BF2855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:54.955{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7F4687D2753228939C23DC30A03955,SHA256=B3FC83C9E2B35848E51061123F82B192E14269EE01F8B441DE256C795051CE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:54.187{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBB9E8956513F3AAF149ACB7E13DC75,SHA256=605689CF0018AD011592F5078B04B7956D87F9B0346483A5DB3DF7F696FC1497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:55.260{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C112B3F7B8BF5999575C0F829F5503F,SHA256=18BBF651BF79769E1F04CC25F8A3E45EC208FB40C6D29C2907C6C25E6E51EA51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:53.467{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52190-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:56.350{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F86C530780BF85D34F7FF3C07B8A78,SHA256=F23B3CC4AD08FF64B203E9E2D5E5DC5E60DF82ADB3D5330F7EAD47693A852E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:56.040{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31691A79607290AC8C9B266A2E41CECC,SHA256=D683DCF1993EA30C92BB226D1B943C3C6A64505A32A2C137711CE65265331857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:57.426{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDEE753E7ADECBB031442CB518B08CBE,SHA256=DE4100E0595213391314D2884C38AE68255A523E95796746E460B01F69526E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:57.141{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BAA6379273ED6BED600AE8B295CDF2C,SHA256=6F12AE1E06820A6C831DDD8652CA3F5A88D0C9821EEEA4450E513A52240691A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:58.502{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526675884A5B8D87AC8F5A39A8DB6D25,SHA256=381DF344FF8AEA01819CFEC4969E25F95EC5C1DA982296853A91E15466EE7BA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:56.880{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59805-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:58.227{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D0A86CE0383F5173B94E8CFFC10FB4,SHA256=7B83F4B462BA826251B97B3FE003BFC0094F44457007318EB2DCCF79802353EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:59.585{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8134479FE05EC74B6DB1C5A3848751,SHA256=10772612714F988F7C809E87F5DB533E172B397A879FCCA0AAB29A36C78C5DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:59.328{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3C0545F8D9C51196137A1E89AAA6B3,SHA256=13C082B958C926C5E988E0A763ABF5E66B903169837BB33C3C6C5B4FA4594A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:00.673{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221CC8335079937B29210A40B1851B28,SHA256=5632F92F0EDD9BB264CC14D85780A99E89A49D3C6ADB15A8C666F70942283EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:00.378{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6845AF31E98852FDD8FE93A357AE4B,SHA256=7CD7ABA42391FEFDBF6A60AD82DC958437C5741F921CD643DD97539452579172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:01.759{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D93585F5FDC6ABECA807D248B500F1,SHA256=4D1F7AB069CEB7488B87606176BF67232AB76FCCC56B4094F9895DF018AAD353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:01.455{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E9A8AA563F4C08294C3FC73284FAB9B3,SHA256=0C4FB85C67BE5B04F9760E7CF0C9ABD2AD5D9E7EAF324415BB1B76210F9E00A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:01.455{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD5ADFA7CDC4FE92D004C155BF3A0D8,SHA256=1DF952E56126194A872100E4E351709F6F7ADF100ECCB8918448FC4D9181D7F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:02.846{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A517D01BDA23C6B7ADAA9DA03C1AF222,SHA256=E40A39115F75A59D08FD39F21FEF7F06666063DB6BA79AF46A67C80C677219FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:02.563{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E1155DA09FBF37BD33283470116DDC,SHA256=77149C939ECAABB80051C9AC28CA930A433C568D633569D120346A627571D134,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:59.396{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52191-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:03.941{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F622602566B82BEF2FC0FC8EEAF784A2,SHA256=E3C02A2D545AF996B291E86F472E61576B30C51DB403BF563BF53820A3C9C020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.964{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=94430173FACAB71984A3BD11E46E9A28,SHA256=C866AB0787F24F0DB8D72C16E6C278FB009E6A6596C1B09542266BAD4A94F005,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.864{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.856{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.852{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.843{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.838{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.816{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.801{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.793{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.789{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.786{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.772{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.766{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.729{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.702{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.686{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.678{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.659{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D9405B170377F8D2201DB2F3D21027,SHA256=E3D4846365D05E513DD0B5E36313A6928938642FF444A5564FD2AC1813490259,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.641{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.627{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.614{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.601{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.589{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000235659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:01.123{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-64908-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 10341000x8000000000000000354572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.541{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.538{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000354599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:02.628{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59806-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:04.708{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434C07953797C739901A21C20A244669,SHA256=8C80DEBAF4A94C422CCB41AA92291B002C4F072DE231145F98C170A543164342,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:04.438{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:04.433{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:05.837{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219DD60BD194FADB19FD0F8F47556F1E,SHA256=4B7AD7B28622CB694EEB60326D944C1B517DB169CDE9F814953DDCB875BBCC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:05.892{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1A44952600A89D6A6AE7EEC56C9C00A3,SHA256=9E1091E2AD760808B3E0A57D035568583C553CEE6E7005D6755A1C6EAD548B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:05.697{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=527E3B36A0C00FD8970885A47E8480BE,SHA256=D7E9ED19D8F25036E3F7F095B7B3D1F3389B10C70AEB222C35A24A9D237A8C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:05.019{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4476CAB50FE3E6118702BF8D0BF58A7B,SHA256=135D18ED22E30AB2C1B4013829E79352A72108E42633FFCA3BAC2F0540AE2B72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.997{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.990{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.986{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.980{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.977{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.976{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.973{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.971{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.938{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66964A119CFAEB1C3DFA3EDC87F12FA,SHA256=21F06E956AF2CCB4119547BC2409EAAD619965F5103A9A86BA1EB9265C93D7AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.457{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.456{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.453{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000235665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:04.424{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52192-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:06.111{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17577A2ADCD41500A43B47332FBD6F44,SHA256=F860CB0275693DB9D23128C6AECF62FD6BDD7EEF66235880152C415EC60FF44F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.993{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC0496F7BB0C05D772DF10DD920D5D9,SHA256=41F4E5876DBA506ACAD1834F7D53F97809BD238C37C6A1207C9C097DF5DFBA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:07.197{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC3ED94D1BB033202D607D1429F112E,SHA256=B8D7461CF938E368D18C220B02462ED0952D11D25E6D53797932E7014151F03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.453{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB9F183EEFFCA32EA74DA67B8C84E2E,SHA256=8185B5C25F3E3F17C5AA93B417373CBA370E2FFA2E60A7B60D250E1B952B80CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.297{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.295{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.293{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.290{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.288{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.285{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.281{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.278{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.274{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.272{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.269{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.266{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.264{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.261{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.259{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.256{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.253{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.251{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.248{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.245{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.242{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.239{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.236{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.233{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.229{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.226{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.225{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.223{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.222{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.221{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.217{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.216{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.214{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.214{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.189{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.186{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.182{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.181{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.180{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.176{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.171{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.169{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.153{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.105{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.093{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.091{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.086{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.063{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.051{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.018{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.010{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000235667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:08.283{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519C28EF658FD8FA8E5073A2965192B0,SHA256=0D723DC7DEB11B4F373B2DC93FCFB4301D043ED5E858DEC39378DAA1809B798D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:09.364{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF227B927F63BD7E70F5BBB1F8DE3E33,SHA256=018A79AAF0B9735C6C8E231E4089D2C4A46FA16342B0A8A5182D21BBF73ED1FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.662{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59807-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:09.088{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDDC55DF11A8A2979015299D1675A46E,SHA256=19C04EB5FE9D062937FAE9B77F9D1307AE6AE739F53EADAFC3E9AD590BFA0EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:10.452{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D25FDBFC28B42F473FDB6AD5C43BA2D,SHA256=EE676965C30483C046F5B91087517F6B388159DB6BB0B2194A06B7EAE4DD3A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:10.240{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED72ECC945F4E8603C2CA2D9140D00B0,SHA256=7F601B92BDFCB9F46CAC944B5542749C8875F4A55E8DAF9EBD7B5A2026470087,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.997{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.992{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.989{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.979{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.976{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.974{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.967{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.964{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.952{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.945{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.937{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.927{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.920{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.887{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.879{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.870{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.831{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.825{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.825{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000235670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.542{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E158E392D407E3600B43EE201580D8CD,SHA256=44887648956CCDFD87721DF5460DD36077E11EC12FB70F154BD1E10227EB45B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:11.271{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C03932E4F29FBE200438BA4BC51ABE8,SHA256=AD028146FF1CECD4B0C7D8D161CE670F1F4015C82ACCF9C86FD9BDD93889CB32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:10.450{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52193-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.855{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD8CD81863F3ECB56DD2FA6EB60D764,SHA256=13D5332972FB22C60C16B306D53B0CC5D9E78E1D7754EDDF7B7C52FA5F13B977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:12.439{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F476FB06A51524A26EC40CF79C53809D,SHA256=71ABF93D6FB8186674EB881419DC2BF4CD4F73255FF35E32743F893587D67CA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.025{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.021{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.018{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.015{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.015{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.011{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.010{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.008{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000235702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:13.934{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9F1FA3876049E41521E6A78ED0607C,SHA256=B9664E90D53E77C7F8B382B737621EB976327CB1D92D7681E210EACD96059A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:13.470{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E773866C824EC49B0C1C973ABC3BE2,SHA256=D113E51DE24998C4065B7B2C0DCB3DEC59789D8579F680BCCDACC2BCA9652C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:14.589{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F065DB086B36384563B0ED623B34BD6D,SHA256=97C1F19934FB5A0FB1F97B4A505B090B1DFB6FE630899F59457ECBE5B51E23BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:14.901{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6AA5E5706A14091AE2F6627D35536EEA,SHA256=C3D7690BFD8138BA4E3B155C0B860F697D35ED8F2128EDB3D06D7AEA763425F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:14.428{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:14.428{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:14.428{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:14.416{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:15.625{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87ECF54688A5D7565AEEC9E3DDED05B,SHA256=99BC0802B7C982F182E1B3ACC4CB990EC4433692B610CA36673E3339B4AB0B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:15.010{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA84F5E39B2EAEC849843A8ED5C08606,SHA256=CD7E2F900F3A125869E8D90E6AAE1C7526D6699B42707379D80E6B0873027609,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:12.694{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59808-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:16.754{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E807F153D2799F87F49F7DC005C0EE3A,SHA256=8B5D8285BB982EC290A541D0485765FC81A479E801FEF0CA66BAE98FB0682E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:16.112{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DACE0130F08DEF20CA532AE6CBCAAC4,SHA256=8ADF8022D408F2D5F637324B805A9229466CF48A512D1764E59EA782D69B3934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:17.889{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D16DFD187EE95B5F9B78CE2A920FAB5,SHA256=006257E528E9E1E1FBF7C3BCEEA4124E6DA2A6735BFE5B0C65007EBF9FF82FB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:15.471{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52194-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:17.203{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E59099544AAEB1695B5A6E21039320E,SHA256=A3832581E00E1BAEAC298D96F11468091B37DB7D058AB4B3243F373B9BDCDB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:18.992{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979E167EBCA942D086CA76B255DBBF46,SHA256=A98173F173760E5140818AAD913B1B44E13CA42E25C40E3A02D9D0C9BA169556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:18.289{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9D7A45E26AA8C96C7FC47CA245C5CA,SHA256=445FE4751970871840174F378AA2A56F43E70A2DBD7BBF12C0D41B48908F63FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:19.385{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1B012A08ECBFED26BD4B927B7927D6,SHA256=F4C3B2EFEE0D47CEDD414201623915B84CF6AB9DD620104D5B71E1DE56697AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:20.465{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D830F1C1A23E8F03D09EE56FCA528BB6,SHA256=95BA777564A4A86E896FB161DC3EF894F13D987F3F06ACC4788AF4220CFEE1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:20.044{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A465C5ADAF627717DFC8C07D712789DA,SHA256=BA50400C9D6CB360FEFDF69D3E7CEEA2CF1885DCCB313B56F9C033DE3A33EC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:20.109{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=53502902CC5E577A7558A5EFFEE88D95,SHA256=5D3C7863690FFEBB25134E58B66F63C1BA411E9B6E151D108D5A9A5DE5A88681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:21.546{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33559F372FDA2BA2C79416659DD7246,SHA256=6705F53864E8D1F3BC46BBA8198D10A192C0C60A9A101A6ED2789177B2014445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:21.192{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DD8E1F17781E44B6794C35D2EC07D0,SHA256=B4C9296B0A963472639428A47DADA70663E9C11D0726AB90A4B9A80D423352B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:18.683{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59809-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:22.642{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CB9DBD60CC2EFFF9DD92B1E079F295,SHA256=7AC835AF719D2B1BE284CDBE9B2E522DC254EA52B0024F61BA1A8644BF1140CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:22.227{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B55346E9C6729E8834A14E2DA500F4,SHA256=B57182326432A9AC857F67FBAE4493F94515520C651CB970B6C25DE9EC8C1802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:23.722{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0615A0EDEFA04205291990F6B3029FD,SHA256=12A35F0610530C3997505F535971B12EFF93641166C33DE77EDD37711FADAF10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.808{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.802{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.800{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.794{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.791{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.767{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.760{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.758{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.756{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.753{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.746{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.738{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.725{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.712{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.699{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.678{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.642{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.620{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.608{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.599{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.590{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.549{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.545{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000354682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.328{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF1D9B0C3FB8018FB32F28DB85D81D4,SHA256=54BBD3BAD0D0ED97EFFAAC1CB8DED15FF8918A6834DF217EBEE7551AD366E458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:24.811{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF83CAEE681C87074CB04DEB66E3B6A,SHA256=979866EB6CAE412E6A167A5FE8718C1E16F0820074ED3A8016D738185491FF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:24.360{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B558968CEBD9A3B9D80DDC8442BDA86,SHA256=E0DBD9BE90CD47999305C81B77D2E926C12A07AF0FC66E7698067D84D4B982F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:21.253{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52195-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000354707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:24.224{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:24.221{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000235722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:25.895{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFB4E2240DB6DE7E113679A8E17578F,SHA256=99893BEEA3703106FBF413BBEDD70F9C9F0B1660FE82B0D6BC251257AD7A2AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:25.462{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07766D64CC6648877DF1CF27F317E24E,SHA256=13183606483DB079DBB9B5D8B81834A541E053F5E3270D1F53D582740F8D1127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:25.184{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-208MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:26.966{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062835B37FC2DFF955AD2B032E4B3C1D,SHA256=E9C2378A9657E0DD142794B7FA08D0C2C6C2A59521F842BA9D1CA708DC3FB5F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.997{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.992{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.991{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.990{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.985{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.982{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.979{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.965{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.912{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.902{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.900{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.894{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.867{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.856{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.832{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.827{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.817{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.811{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.809{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.801{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.800{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.799{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.795{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.794{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000354718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.599{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C7BF35427E8AFF4E5B942329E68BDA,SHA256=BE07B5BF194F27AB4BC5BE35410C0EFE1C1E3CD1FB9DEA794C812E76A74116C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:26.193{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-209MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.280{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.279{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.277{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.038{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.038{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.038{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000354711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.869{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59810-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000354710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.026{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.798{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0B7D89030373228D0B49FC22C8127D,SHA256=4146A38D467B0523E4700751844735B674B469F7CB8F53FD6F2BA936F689A677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.213{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FEBE707254335CEA4CA268B28374F3,SHA256=620BA3057DE556EDC32974E35648E832128B2FB8C7B30DA8D3ABBD5FD80D51D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.132{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.129{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.123{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.121{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.118{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.116{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.113{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.110{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.107{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.103{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.099{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.096{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.093{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.090{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.088{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.085{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.082{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.080{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.077{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.074{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.070{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.067{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.063{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.060{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.056{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.051{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.050{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.048{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.044{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.043{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.043{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.037{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.035{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.033{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.032{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.000{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000354799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.912{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52831439E8B6C61334C2357E6E12C0A8,SHA256=6C708812C7B99334FF3D832B7AA4A992C2E5104EE6E1457D0458BF8B03AF6192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.894{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=641CB6545C95502FB111D5546FEC79EF,SHA256=7C77E956798E83B56F07A177CE2EE5A4BB0E1D4C5B303D96700C12B4B4950B40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.852{30B46F62-7AA0-6352-AB07-000000008B02}903210228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:28.054{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A697943A0A3AF6D2F898D805832AFFC9,SHA256=9E2B368F5AA4E598C58CFDA21DC1EB3AACBF240CC92AC64BFC9F0951F72D13FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA0-6352-AB07-000000008B02}9032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AA0-6352-AB07-000000008B02}9032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA0-6352-AB07-000000008B02}9032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.620{30B46F62-7AA0-6352-AB07-000000008B02}9032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000354788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA0-6352-AA07-000000008B02}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7AA0-6352-AA07-000000008B02}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA0-6352-AA07-000000008B02}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.047{30B46F62-7AA0-6352-AA07-000000008B02}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.932{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555936E5BBF3795E2EF66826260CFD42,SHA256=040DD755575078F0C3570F7C4561F50202D5C9EA097E870AC266D2BDD897BD3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:26.418{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52196-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:29.137{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93AA852954F0D08027BEB02193100892,SHA256=06D04B978CB4F12A41EAC9EA635B9672F325D46298C261508082ACD1E2808CE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA1-6352-AC07-000000008B02}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7AA1-6352-AC07-000000008B02}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA1-6352-AC07-000000008B02}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.277{30B46F62-7AA1-6352-AC07-000000008B02}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.077{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA9CF1EB3921B060EA1E2374C10069B,SHA256=D9BB27805B33D0091E253EC21CB47AE3D9C7901A3705BA8C5866F42767A5444A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:30.230{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78EEB51A7513F4075E8B95533DFCB3E,SHA256=5FCE0736974365C185942D118D1318A2C43EED9D424AAF76097A9E52E6F39A93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.995{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.992{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.991{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.983{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.981{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.957{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.943{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.936{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.927{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.908{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.893{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.860{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.853{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.844{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.837{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.829{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.822{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.815{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000235729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.307{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8DD57A940E96E0154D6969609B671A,SHA256=B8364F642BA1904D087E6C060759C38C5C03AA0C2AF35CB76180366EC4BA961B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.718{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D993899B815079F0E80A232564A2F17F,SHA256=0A78B53B2A03A46101DCDB87FC32BD1E623282E52A0146E37A72BF6C110E1E57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.618{30B46F62-7AA3-6352-AD07-000000008B02}13369308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.396{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA3-6352-AD07-000000008B02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AA3-6352-AD07-000000008B02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA3-6352-AD07-000000008B02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.392{30B46F62-7AA3-6352-AD07-000000008B02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.060{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A9AA7B0A141CB06B0A907C2DAA5D66,SHA256=767C5FAB5DD7CDAA74A2407274865FEA34B928D86A131630B754B68105C3D647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.862{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.612{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2283D2630F06F6343CA4AAA7766711,SHA256=D6A0430C61627362538B1DEDD390D07E42E2B85519EEFF69A0E87B77088F3B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:32.822{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:32.180{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7064637A487D4AC2EF44D91A38D664,SHA256=03F5737CD3BC23E8142090969710711C622C5FD745B9817522D9C23979B4D7DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.033{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.027{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.024{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.019{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.018{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.016{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.015{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.014{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.012{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.009{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.005{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 354300x8000000000000000354821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.754{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59811-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:33.706{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7A22BAD8B30EC1C6A681320201CACA,SHA256=C031E81684730A097A67A52DEEC1F24D1B9D10385E325B9D72FDAF49C4EEBD4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.909{30B46F62-7AA5-6352-AE07-000000008B02}97207368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.881{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.881{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.881{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.880{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.880{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.880{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.701{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.699{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.699{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.698{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.698{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.698{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.698{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.697{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.222{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6F29981DD20E3CEC6CFD8BF914D957,SHA256=E566796869922185031FF074DEB9B96A47579C65A21D881865A600FB1A05BBC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:34.795{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE24BC4BBB02A40374DA5DFAFEBCB9A9,SHA256=736BDD9F670BC7A96C370147C0380DF50177373FBBD6FDE4689C6EA2FCB6EC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.699{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BD32DCF3D5349826DDE68647061C54C,SHA256=654E36DD743747327F948C4DB59230E19CF048C0999A4FB9DBD70713CB64F16D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.564{30B46F62-7AA6-6352-AF07-000000008B02}93566468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA6-6352-AF07-000000008B02}9356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7AA6-6352-AF07-000000008B02}9356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA6-6352-AF07-000000008B02}9356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.365{30B46F62-7AA6-6352-AF07-000000008B02}9356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.348{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5FC7E7C98CA74927EAB1497B0C2AAA,SHA256=600D9D1095EF9903193944B2869369F570022DD0DAC226070B751E2F535CD69C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.299{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52198-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000235762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.096{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52197-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000354840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:32.420{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59812-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000235765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:35.883{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59852B80FB87C678E95D1746351EBDE3,SHA256=9FA56455775A8865BA4D7037A8A562D5A9C470205553C15096675037ACEC7D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.479{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CEAF26873FC927B8887BE57A5EBEB2,SHA256=E2BDBA8585AA04ED4D1C954B017586FF4B73D9751485C69A4E3869D2C5446DC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.173{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59813-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000354860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.173{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59813-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 10341000x8000000000000000354859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA7-6352-B007-000000008B02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7AA7-6352-B007-000000008B02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA7-6352-B007-000000008B02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.033{30B46F62-7AA7-6352-B007-000000008B02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:36.969{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59FA83AB1423C3DF8D6D21A3F9803A5,SHA256=4701887192D609CA24803F9927AF641D9B622F9DD4384F143EA253714170C7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:36.960{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-208MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:36.549{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE821A2910235BA5B42299B921392E18,SHA256=0E01F5F852963E5ED3CC7A7C0D3DF5956CF37ECEF0DF6D21043E0FF9222E77B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:37.969{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-209MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:37.597{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F43D34831692C3AEC08BCBDFBB062A,SHA256=8CCA8488FF4E9734A9C4BA8037E7A1C5E77E52D5D9DD6B40F8D96E5DF802EED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:38.733{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6559A516C44A9BA132B11D7D88C5CE,SHA256=3166BBED53E6D7BEC8C9CE87EA07CEF8E45527FF08294971A19DA9E727759A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:38.054{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFF73855E36D994E3B303355D497547,SHA256=78345A0D638A2B0949C0F275B6370D8832B3D3585A86BC32A3D1B9C936BB5D95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.746{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59814-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:39.894{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BB9AB16425ED640886DA1342FB5E9A,SHA256=F00BE24E6AA4ED61F24C51011E5ED2BA78F5A89568BB15DD9F2AECD9414D7D70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:37.412{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52199-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:39.149{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5138F56A4E92C2EC56AA7F3F10A9F19,SHA256=96673FABC97371F103B46A4CEF0CD0C88FD05BB1044CD69D6FB109109C141F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:40.948{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B879F97EC6016A66A4BFDF832972AAC,SHA256=F4D93BCA924A085C819A5F0364312EA89742288315B5AC5795D1E749B07C00A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:40.246{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434FE5EF75663FA087B5960FC79A9210,SHA256=481BC3E2C826BF23FDA4365B81D643AA9F6397565BEB9B3862C790F3C74FF797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:41.982{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59593C30D9A4314D54DA1AFA5B1E202F,SHA256=9FD6A3697C303BECE961ACA8C23C5F28F6E7376A130766ECA145929C35074318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:41.327{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4BACC6E3C053F885DE4B85033D4A79,SHA256=F5F0ECDA8B9B751CDA2C04E4829E43428B9CB987A43D731B049C5634CAFEDE9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:42.401{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24366F13F57A4392218D39F64574444,SHA256=A4BC66DD471ABE1DE09E4BAC2F0EA7364C87737916ECAFD177C58355492832E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:43.486{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83037411E5C2173D4658F1A8828D043,SHA256=893ED9D27CE91119B3FF30C7392D6418B417848E28FABEF0C438B023E07AB433,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.796{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.786{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.783{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.774{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.769{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.743{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.735{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.729{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.723{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.720{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.714{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.709{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.693{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.685{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.677{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.668{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.637{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.621{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.610{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.600{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.585{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.539{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.537{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 354300x8000000000000000354873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:41.746{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59815-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.032{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F687F19229E3190CB8A8FDB3DC2FE3,SHA256=EAE100FB5F3CCBBB21C14FA2432D4ABF812915EDC91F4809E6DADAB2C7BC26C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:44.564{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA0E460DA25167C21579EA774A5D8F3,SHA256=D3ECB1BD9ECDCD1AB05079523596DD6BB5E1DFFDFF06E709FE9716C6AE35772C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:44.256{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:44.253{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000354897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:44.111{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED388D5B5B54DF60A0EE1BC81B60B9B7,SHA256=5F53E04B9C3FEF3BABB3A058B0F8332D3AB68B164984D6EB6B87C3D841ED0A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.850{EFF5EEA8-7AB1-6352-7506-000000008C02}39643296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB1-6352-7506-000000008C02}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7AB1-6352-7506-000000008C02}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB1-6352-7506-000000008C02}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.679{EFF5EEA8-7AB1-6352-7506-000000008C02}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.647{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834937DBFE23D09F8F8D837EE1D3CEAF,SHA256=A1DAAAF26C359D244C1FE18500544B1B276157EC2597E92E79613DFEAB6F6390,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:43.334{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52200-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:45.206{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC5868AC84199C4256496E10EB6AC10,SHA256=2B26C58B9FB78A51DF017EC435047C0F1A9EEE9ED407BD864F1C207ABD240B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.788{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A676E4A7701DBDDEB85339DFC38DB1,SHA256=2C35DC2A99E3AB6B6562CA969F1FC15E9221748461B276F61F56C93E404EFC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.742{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAA4C5B841C2F998EE31A5564F4BDFC,SHA256=CD8F7CEC6B5B44F3CF2D35DA73101B3462CF7F0689658B1B7285C95D3F14EB5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.998{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.991{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.974{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.903{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.894{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.893{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.889{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.872{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.862{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.835{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.821{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.813{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.807{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.806{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.804{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.802{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.801{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.799{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.798{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.285{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.284{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.281{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000354901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.234{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D0AC535E068E4CA9B37ECC9225CFA9,SHA256=BDAE1C8B5D0A2F2EEC9085BA6A236D5248FF91E171231A699A9C9EDD9705A695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.618{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E56190E3E32AF61D36C101AE1152FCD4,SHA256=08D320B2AE3EEDED73E88DBB3AB5A4DAB302E4FADA124031CBEFA557B2276A7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB2-6352-7606-000000008C02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AB2-6352-7606-000000008C02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB2-6352-7606-000000008C02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-7AB2-6352-7606-000000008C02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.943{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F336314D5E4FE7DC59FA0FFAF03E20F,SHA256=8A5A2323EEA17A3065475D014DCD0E72527016E68A3DBE15A61062A85389F1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.324{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853B02C6E1A66567B01C594BEF37F21D,SHA256=439BEA0778B36463AAC86D990A6D4E36BC66F2C5D914A74EFF82BE82C3DCFA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.257{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA6B988008FB8BFEB6ED58AA2BA40AB,SHA256=B02B04978CE5D35B7EDC82679F9CC1D0BB8FCDA94F59D0392874D0921DBCBB68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.740{EFF5EEA8-7AB3-6352-7806-000000008C02}15121996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.516{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB3-6352-7806-000000008C02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.511{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.511{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7AB3-6352-7806-000000008C02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.511{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.511{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.511{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB3-6352-7806-000000008C02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.510{EFF5EEA8-7AB3-6352-7806-000000008C02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000235819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB3-6352-7706-000000008C02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AB3-6352-7706-000000008C02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB3-6352-7706-000000008C02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.024{EFF5EEA8-7AB3-6352-7706-000000008C02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000354963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.133{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.131{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.129{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.127{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.124{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.122{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.119{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.117{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.114{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.110{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.108{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.103{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.100{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.096{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.093{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.089{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.087{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.084{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.082{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.079{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.077{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.072{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.069{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.066{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.063{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.060{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.059{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.057{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.056{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.054{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.050{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.049{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.047{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.047{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.022{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.018{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.012{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.011{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.010{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.002{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000235862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.983{EFF5EEA8-7AB4-6352-7A06-000000008C02}22042468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:48.354{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23037AC91A9FDDBB56B4A0F9AAE92A7,SHA256=B0FD5928C7B7644675846CDE71632DBFF51AEC0E6CBC8E0B7048391DC9FD6D5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB4-6352-7A06-000000008C02}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7AB4-6352-7A06-000000008C02}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB4-6352-7A06-000000008C02}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.828{EFF5EEA8-7AB4-6352-7A06-000000008C02}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000235848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.393{EFF5EEA8-7AB4-6352-7906-000000008C02}14202828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB4-6352-7906-000000008C02}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AB4-6352-7906-000000008C02}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB4-6352-7906-000000008C02}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.163{EFF5EEA8-7AB4-6352-7906-000000008C02}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000354968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.725{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59816-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:49.502{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049B4E18A66132334DBC25EDEEFAC2D9,SHA256=119FA4609E068CF7BF06972D75DE556AFE17D23173D1EF6BA63D2B4A4F7FD73F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB5-6352-7B06-000000008C02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AB5-6352-7B06-000000008C02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB5-6352-7B06-000000008C02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-7AB5-6352-7B06-000000008C02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.277{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E62D542F625757C0459F6EAAFD81941,SHA256=BEFD7DAEF57124010C2A068F0A1F11D3E7B5AAC7AAA3C0F5634A9D3B80D529F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.234{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2C17F466FF25D9E7CF1D13461D426E62,SHA256=B426B3105608F04D1E05DC9875D0E92B43F90BEB099B6653C27381FED5B9F69E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:48.426{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.205.25.54ec2-34-205-25-54.compute-1.amazonaws.com62650-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local3389ms-wbt-server 23542300x8000000000000000354969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:50.553{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801795F107E311D043D03BF1CF685B7E,SHA256=85C6C5D2B3232941C78567E7CD91C2EFCE2703A6395E15F4B1362DAE67CF5F8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.451{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52201-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:50.136{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422524D6DDBB1D2207EF9F09E958B744,SHA256=3FB1AA8FE0EA6B60B9CBD7C5A3FA78ADC558392A5732FECA4A8E86702A7B0BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:51.683{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444153C467370542955316DD3F837368,SHA256=BA2C66102884D25AC27FC20E690CF78469F6413314A5954E99C9B14FB64DE3FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.973{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.963{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.962{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.961{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.956{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.945{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.943{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.931{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.898{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.891{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.881{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.849{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.842{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.836{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.829{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.816{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 354300x8000000000000000235881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.046{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-52364-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000235880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.207{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D7AA94897FE95BA134D34F5D33C5A3,SHA256=B799A9FA765241E1F272EF5C905C78D3D1D93E8C2F770A9049A527E8D0CA2853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:52.801{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8577FCC375ED13804809A73E43549519,SHA256=9FA40A3420472840F65906068405C9A4E93A3D489DB73BBB58874081B66A1B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:52.448{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C4C97EE284299ED6572216BA93DCAF,SHA256=3D9366E3DE2C90286E0D5AD767E45FBBFE03EB151C2FE83B0456FC2042095321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:53.968{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFA18ED0091037AFC22783E0828CAE59,SHA256=D82CACCE7E3A123B55A8A8A90B4561BF8D461D36507E9296A6C575FFCB52E254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:53.853{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1F612FC91F335B81DF45338EFFF4EF,SHA256=62831F6A429DB2E998F6A397CFCA6B3C6CCCD41321BCC28BF91393D80A0D32F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:53.487{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E218214EBF60D3A1D6EFA16FC4A938A,SHA256=13160DE24D1BB2095EAC0F063B3223BCBCB1DF532977A8CC0C1389371F2EC111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:54.968{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDF0BB96CBC6B84CB41CE1E2C3CE681,SHA256=3F599A1DCADB000CD285CBACFE8250A76841E28EADB8C2D59D678C026D53A803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:54.563{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3A7AF3BACDA54B64D758740380A83D,SHA256=17D6A20AC01CF1D373AFEA3B43B5B3F81D0D0625AE145DC8352511483F5C90B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:55.776{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=998973CFEB96406CBBC37DBA1C8D3B7C,SHA256=5A8DCEDC8F2D55457472438D73803C82173A63E87DE76A3772774655CC35E1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:55.635{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6545ED2B290921CB2691E92142E9B70,SHA256=AB11AE171028C909D839A91700A6341ACA67025999A4EAB5FC756C9BE165ADB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:52.824{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59817-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:56.727{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D988306284406D34045FB31F3709D131,SHA256=5F47B4F976B51F3B692C253F56EAE4075245547EA8B487FA2CDF588C299B09DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:56.069{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE40471CC913919EB1798759B14833A8,SHA256=9D1D45D79D8D6AB95EFBEF566FC88F3FE8B6E3DAC107FC56947FEDAD38295AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:57.821{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8141E21790156A1901E73F6A226E19FB,SHA256=4FAAE04DE11A007ABE5C4B3CAB89DE57DB6843D0A38FAEF256E02D2E56C3BCCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:54.418{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52202-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:57.184{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0953F82E377C6C883DAD7BA0349863,SHA256=3D8F4E0D5B2F7862115E57A23F8C0BC4D8C5CDED231ACAAC5C9DF09136AE98CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:58.805{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE36D03918BC1F52EBE9C13D1567C5C,SHA256=FAA3A9F49FB80DA28DF53769C7981E74DBEED4D746E152725AF8CCBFA584400C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:58.828{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 10:55:58.828 23542300x8000000000000000354982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:58.828{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:58.828{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 10:55:58.828 23542300x8000000000000000354980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:58.455{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=553D0C75F9C75B84E79B4FDB4C0BAF7C,SHA256=663F0971C68ACE15F3D7D565D4598200A822670144FA01E2D35EBF659E996236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:58.311{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281827FD2026FB6E8C9DE31EEA238A74,SHA256=3F565C5557B23B5A8E3374A399EBAD60B548A4E6F897B659DF5DD205EE416C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:59.895{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F660C390A219734664EB86D9D8AF5EC8,SHA256=A24653084DB09E8D82A51869F2C986F739337066F58887A157890161E06B81B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:57.827{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59818-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:59.428{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B913C59BBAEECC686B9E1E7AD6AD82,SHA256=B05A01277330A7417AE989C19382EFFDE3969F579CB9D3C687BC5D78F9EECD2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:00.972{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2422048D16E7726EBBE0A044EF422A,SHA256=CDB4C34E5528C59A2EA34FEF2D83EFEA2210F4314A868441340683506EB10D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:00.927{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=28DFAE07866F96B3317E1A3FD97537FD,SHA256=B68FEE5BFD41487508B8A7EE940C61A1C8AF22AC991B802B89A0C0695A85DC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:00.570{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7257C1F1A2743760377B4440532C9CD4,SHA256=9E90B95D61ABDE6B74FFAD0876D4E1BEFE92E17FDEB5516CF045577B2FADB09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:01.626{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9D47903324859A644809866B9E619E,SHA256=CB21DF03F01CE203988A4CE6816CA57699D2DBA2C58C9AE160F371C1655775F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:59.504{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52203-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:02.742{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBF5F85F9A142B3D7E7BAAF36B5AFD6,SHA256=9D58A8E58ADB28D2D665EC2DA44EB9E4194EAC1DEB472E6224BAA84B28CEEEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:02.052{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EA4A4903D1969D8E96CACC4E567EFA,SHA256=D41FDB2C457D97041110258FA6678ADB0CA725AE106EDF61F6E1A941B69DE8BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.964{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EEFF4591610CF5DC602EF5E2DDA6E085,SHA256=ECA9EB3D53B229565067071EB3D5ED1ACD556D7E2C61599F4C52916AB9631A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.838{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.832{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.830{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000355010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.823{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9F4B54E7BD088F96CC3471BA59473B,SHA256=A13423E9F35B47E4AEB3283019A612E2F2B8A3203CE87C76F123023431ADD718,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.823{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.819{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.802{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.787{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.785{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.783{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.780{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.771{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.767{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000235924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:03.139{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF421806AB235E48CE7A14A17D2B4DE,SHA256=47B6E372365B847E5A9DBB728E8F83EF96B2CE845E07786BC886731B04BFFB19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.750{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.742{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.730{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.722{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.683{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.669{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.645{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.626{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.611{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.561{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.556{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000355017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:04.912{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988A19588B89EE6D3A2EC32A018B0633,SHA256=4412A35913E3E72790021196CCCE828E32777CDD461BB32692512968D2616A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:04.929{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=35CC27A62F91D27FFD94ABB6C23ECD50,SHA256=19D0C21BEC434514DDC225858A7C9EF28C2542757FC49110DFFDF1E89398B4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:04.218{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941929A3E993C6214B45ED4511EA07A1,SHA256=02F6786FDAFD737DB3E9A30AF8E8BBF23F50FAE94858564B80E6817EB6F20988,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:04.344{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:04.341{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000355019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:05.959{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DE51BE48288EAA10805928184A9452,SHA256=B5C122EE642C0CFC3338F64E95733A211968FDFA1E133296FCBD4D8B54A7B58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:05.895{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7B214B88E2DD1F9FCE88C107D4D1E46A,SHA256=8AAD68C44DF78399EF7B20A2CF938216D60D346D1CE0A8A9F4F284A7B57E658E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:05.302{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C760BF3D128F4E0EA8BACFC6F8C607,SHA256=050DD41D6DE6F6B7456497B734F9B463E4F83E0F2172DB558B20BA81243714C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.786{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59819-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000355034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.987{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.975{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000235929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:06.381{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9BD88CE71EB7FAF97945BB95DE560F,SHA256=D8684A43F2365F85A4225369CDF01BF301C1A3376CEE4293E518D3CE492BADD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.946{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.937{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.925{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.919{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.918{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.913{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.911{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.910{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.906{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.905{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.394{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.393{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.390{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000235930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:07.463{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF98E0EE05C1F2EA79182E519E3216F,SHA256=D35D711DD0080805F234F9509BC399C2F76C8EA2F57797A074F3F7755DB00628,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.259{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.254{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.252{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.249{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.246{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.241{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.238{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.236{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.233{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.230{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.226{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.222{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.217{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.214{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.210{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.206{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.201{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.199{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.196{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.192{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.189{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.183{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.178{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.175{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.170{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.165{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.163{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.160{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.159{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.158{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.151{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.150{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.149{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.148{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.117{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.114{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.109{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.108{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.106{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.102{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.098{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.095{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.078{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000355039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.068{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F31688C27DB53C8A1ED3B5EB4F85A7B,SHA256=77B5EE74181458CD86DF6E3765E3AB670B24C4AEF21E929A85433B737C301D94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.030{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.018{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.016{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.012{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000235932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:08.555{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846343D4D19E34D8DC9E5CCA2B9EC34D,SHA256=F303D8D19BDFA2D69584AF38D04E6951B8B6A06F7355D67A92F5A118B04AE3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:08.233{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6070F144383EDF21AA39E0CE329A45C,SHA256=D2D15056AF73ACCA7B9796E7C6F6BCD8D85074872609E03D56E089E61AD25858,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:05.461{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52204-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:09.626{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43050A185B0B9839DB205D880311789,SHA256=8B0C864356A4B3F31C3FA14727CA6E7D3843704415422AEB41990245341C3A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:09.309{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6829F972768C8A863AB7EB1CA5689614,SHA256=65AF2D330150936FDB3B6922044321FDEFCCA2ADE870C3C3784DEEE7D3A8FDD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:07.000{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52205-false169.254.169.254-80http 23542300x8000000000000000235935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:10.709{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE907B1D00340A3D2F2C58AA11EB761C,SHA256=40D35B79325763E8E3E4B972BD4E185DB2981457B0BD903BADDD763D5A85965D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:10.360{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7D7957D0A221EE034F6ABA1DB2503D,SHA256=2849384865CFE8C0C0907233B41C8250986EB18C0DF5978FAAEBA89825EA1272,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.990{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.974{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.947{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.939{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.932{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.925{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.881{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.875{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.844{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.829{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.828{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000235936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.814{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5785540547CE39593CD9D4363208E34,SHA256=2128EFFC3C420B98D1EE8EBD1A84B0324105E68EBF78950F6D9608D9AB967FBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:09.785{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59820-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:11.375{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A13C805CA996A64BFCBF313CEFEE86,SHA256=D46C23E6C8FC7315076D5E56B604EF831BECB59028E0FC52C93AB9B5C3D683F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:11.333{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=FB47EC98E4E711502A98C9B570058F6F,SHA256=1069EC5931774D1B500555F0E2E08C8F89CBA5A7D2869A2BC86AB3BDC236E3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:12.516{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9D5A2803727900EE8E6850DE29302E,SHA256=43DEB8897036A0D5820605BD1B9DEB8BA90F2E0A4E0AA42F9C1ADC03261C6B2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.071{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.066{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.063{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.059{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.058{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.054{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.052{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.049{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.047{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.041{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.036{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.007{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000355090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:13.564{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31F2CC7E8AEEC514176877E84425803,SHA256=CA7A09320C3082FA74040AAC687BE5AC0952CD4D5966003AC83EEF48482CABD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:13.347{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F4A2F92877686A769F0A9220EA9233,SHA256=920CBD3476F1D9E53C98A188D0BF6A56CC20D46BC74E510509A8DDFB6073890C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:14.588{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F241028BCB174B6DDE1A6D2C9AC3A93,SHA256=0FF0C50EA081CB28590A8D8B21F6E4648D93A131355455EED3765B973735044E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:14.437{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:14.437{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:14.437{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:14.425{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340696F62B9264096FAD56058170768A,SHA256=F820C638B39004EF859C0D677DB0EE83808D7FD11E9B863964E49F688408D36A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:14.417{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000235967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.392{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52206-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:15.959{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RFc51e18.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:15.616{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A7A2C97989B4BDF1C11C6AC69C6301,SHA256=2B98E365ED0BE44ECD1A8B78AAA7108157967A725F960E04FD2359C0AAF240F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:15.520{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E872E36A6EF98DC9ED5CD644B9F5EED,SHA256=BA9F1D4C6B48168D4A6D49735E818A3C3390B2AD11D4159C4E2C4FB4B7870FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:16.758{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93D232201360051A58524B0B56C3B3F,SHA256=44988FB1348F9E6BDD48BF3210CDBF6680591B455DA5DBE66946CB5C0394744E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:16.610{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563DDC3206001FB010F9FBD1AB01C4B7,SHA256=C807C87697ABF8EEC7023C0D3311F4B48B2B424846C7470399AA7BA8CF8A764F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:17.812{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF24177866508522AF369E4C2D6A933,SHA256=0DDA5FA6CB8780AAE8F494DCDF03A93933699DAB954A2EEC9817BFA7BB2EE626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:17.703{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB476C6B771067F7CC3F31A41007E11,SHA256=3B9336A247094003FE365A25B4C9395A9648153EA31B7B468390A8ED64AE4F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:18.883{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E28EE6F8880E8D8515DDA47B537864,SHA256=65C603F81E375BF8011389AB0618D3C5D60B2A648FF465920007238432476DC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:15.757{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59821-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:18.785{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F217918D360C2508CBE54FB075DA3AB7,SHA256=66DDB577BC3B501EAEB692FC59832CBF0347B680F76F24C4851D75AAB337A3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:19.942{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECB1E9DB0E0225320E1B37F91322F2F,SHA256=21BB845D1F49CBA45F1E122756EE4EBAF7DD5CFC9177B74ADFFC05952A62E321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:19.871{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4122ABABC2AC95FF667DD7F95267559,SHA256=D68C64EA73397EF9E53DCE68F8C525620CA0179A4E4BA45188FD65E8757E8F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:19.397{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=35A1F3492F1E3A1A1B6E1063BAA34E32,SHA256=60AEF45F5CE52FD50C71C0F6B4B9F5A4B3035A4FE411D3073069AF11A82B938A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:16.405{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52207-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:20.952{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBC5FE2A9F83FA2CFB0180DFE08A617,SHA256=3FD5F61FC244CC06F794E19672DC517DD343E70A3284DECA1ECCE0625FDE025D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:19.131{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59822-false169.254.169.254-80http 23542300x8000000000000000355100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:21.044{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01412585C1024908732BAB58E2E29934,SHA256=DE3AA7B2902EAECEE569875AE5B2FEFB6A1787F7CD577B6895568F0C2D199792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:22.043{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924951728F99B8135FD6F649854E18E4,SHA256=B8104914DB57199C7C063B1F905FA804BD2CB89A2E5611FFFD86CF6CB4B69795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:22.103{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63859EC44054910DF0EA057B72A8404D,SHA256=7DAE80B2609566C83301860848EC6AA6260A0A4FA9CAC48B050BC84F608FF1CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:23.139{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FB1CBD04078A911545C3795F2D0386,SHA256=C264D60F7CED6AF50C98895B2E3834F856E071B1711EB4804EBFA7C5817C3B72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:21.772{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59823-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000355125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.836{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.834{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.832{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.826{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.823{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.802{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.792{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.788{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.786{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.783{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.777{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.771{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.756{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.749{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.731{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.718{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.671{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.656{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.644{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.618{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.606{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.550{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.548{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.175{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB8A997610F5593211D4080841B699C,SHA256=480D421E33996A9AEC15ED2D0C7A89397F243970A62F6E9DAD9CA5A26F0FBFF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:22.296{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52208-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:24.221{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CFF34E847FFBA204F9CD8408F943F8,SHA256=EEB762629C25991DD8B00DB1A7FBFC8ED56C387EF7A21AD3665FF846491F5B86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:24.292{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:24.288{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:24.212{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19D08B3832BC03B3589344715FF2B24,SHA256=D40C5EC5B4193EEF5CEB9171FA16E618210FE1341FE795A3ADAF2337599CB2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:25.315{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46B7148F8F85A2ACBAF967BBC7556E8,SHA256=BC775F148296FDEEC66F9711F7B35F663A90BEDA6E4B3C3B8973CE06057A298F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:25.252{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AA888F37A9C81D1DEDF6C73B9F1D97,SHA256=B1FAFB70D06F6CC21FF48F748FC04FFCF8DEE29FF5BC8307E59B6960A7D49B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:26.719{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-209MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:26.400{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8FF65BD39DFA82E08935D20A6D065E,SHA256=0806203063E820DE89AF33B16E9C59746BCB4D517C39B39A976973E954BF01A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.974{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.963{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.961{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.958{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.935{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.922{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.885{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.871{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.858{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.849{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.847{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.843{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.839{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.837{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.833{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.832{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.353{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835837B519BD3807F7C900A3B96F3E35,SHA256=D645859619337C5EEFA462223EA99DDC3F9C41975CD49DF1A4504DAABD3074AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.313{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.312{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.310{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.040{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.040{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.040{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.025{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:27.725{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-210MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:27.489{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FB27E5B792A5FA61DB7FC68127D235,SHA256=7B53C46B5501F0246D51A827E1AC02D7EC17F63C121555F5C9750BAC563EC6D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.453{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB84EDC1BC07AD44C5E979D040E6D8B1,SHA256=3DF2C8E7D6D740997EEE4ABA913BE13F6C3B1169F671AFE427808D241D787C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.252{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD2DEBCBBB90E154335BCB22AA4083C,SHA256=C518425F6A3D14AAEBA692BDB294FD3C94FEECA36F05998BF4E0A98FDF3D596C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.152{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.150{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.147{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.145{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.142{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.140{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.137{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.135{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.132{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.130{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.127{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.124{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.119{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.118{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.116{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.113{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.111{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.108{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.106{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.099{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.095{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.092{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.089{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.086{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.083{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.080{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.079{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.077{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.076{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.075{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.071{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.070{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.069{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.069{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.050{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.043{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.039{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.038{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.033{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.030{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.028{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.014{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.799{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.799{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.799{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.798{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.798{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.798{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000355217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.760{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=67D1F9DDD9494EB59BD9E474C3428482,SHA256=C1B3F8A444870D0FAD6E7605BB3475C2FB4BC528761DAC65C7A628EC78C4E932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.684{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.513{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09460002ACE0293B893362A78A6F55AC,SHA256=08937D684971287F042E19EA209C9DDE82EA0B3D014019B3E30F0F6958A003A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:28.595{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B600B82A2D2FB75906B91471F5D810,SHA256=64D28E063C8A4EE78F6E0DFD2DA13E0C643FE2E26B3CA758EC7D4B1E759608DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7ADC-6352-B107-000000008B02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7ADC-6352-B107-000000008B02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7ADC-6352-B107-000000008B02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.056{30B46F62-7ADC-6352-B107-000000008B02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:29.676{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C772FF8A398ABEA78CA1CDD175AB6A5,SHA256=43BC349364C23C765AD59B7BFCBA2DBD2A383C33EBB81B45C88B2E298262BFE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:27.439{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52209-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000355235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.681{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59824-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.569{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0E77E37DF61454CE74805EA28FDD46,SHA256=1FAD75B76DC8511E601463706DE7326E118E5AD06C5B5AA87B5D71BA1D631661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.515{30B46F62-7ADD-6352-B307-000000008B02}758810208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.335{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7ADD-6352-B307-000000008B02}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.333{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.333{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.333{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.333{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.333{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7ADD-6352-B307-000000008B02}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.332{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7ADD-6352-B307-000000008B02}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.331{30B46F62-7ADD-6352-B307-000000008B02}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.132{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AA2B0C4AD92D5D2B43E9D95B7E8FB09,SHA256=C4BCE9F3616B957F075C8092DB1CAC5C7B166A8D06F3FE3EB6931F01EA659303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:30.647{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D356D1A2E12B37F928764B87C5566BB,SHA256=C8FBFC5675AFFC82E89923F66E3EB3029A0D847D3BEC3EFF4C2CE9639C92A7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:30.618{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B204F9E8967AA517378C7CF469BE4204,SHA256=2B121AF137B69C78A6A6C12B18CD2766F49C1D03E351615DD2FADC3DA3F477A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.672{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02205B0097AAC4FC7656DD6558A2B95,SHA256=781B52B4985220597D8A6F38407A81786B3B16E3B3F52D4DCAE363D8D3D15548,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.989{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.979{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.961{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.925{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.876{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.870{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.861{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.846{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.836{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.827{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000235994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.729{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2371E429A9F3F9614D6D93B7C4BF1443,SHA256=7EA8614068815ACDDDF985CA34D626074FADC383B97E641F942E77B845A47E04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.604{30B46F62-7ADF-6352-B407-000000008B02}71249576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7ADF-6352-B407-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7ADF-6352-B407-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7ADF-6352-B407-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.389{30B46F62-7ADF-6352-B407-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.061{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0D47F55533C20BAA8A0E7069B0772D27,SHA256=ABA83BB358EDD96F7B3DA6DB3F821646A060062B41A8702E6D95C25CE3B35BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:32.842{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:32.726{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F021B7DE2DDB7F7A020F0CDEE9714709,SHA256=1B6693797727F04440FFFB1832E8B0B3D68AC93B01718E4856B292E46F142DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.978{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A2CF6EF1D8B0BF10A8BF879D2B2FAE,SHA256=77342784E356ED79433EDD43239FADF5DDADBB0C7C55F4011276D5D70A4A591E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.884{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.054{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.051{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.049{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.047{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.046{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.044{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.043{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.042{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.041{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.038{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.035{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.025{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.021{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.017{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.008{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.005{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000236026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:33.983{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A2B6042F80E0E6D04DE8A5365BB26C,SHA256=B08DEA6619D220C987253EE5A23C3FBC12F0AD788136EC5DD16D72CFE4FC1130,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.961{30B46F62-7AE1-6352-B507-000000008B02}75482420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.846{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CC0F1DAC643ED7A358BFDCA86DAF6B,SHA256=CFFE5515C0AEBBBD26B0981FC0CA0E1B8D33B437820883B45F7F3BDA61C4B5A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.776{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.776{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.776{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.776{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.776{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.775{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.709{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000355285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.958{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AE2-6352-B707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.956{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.956{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.955{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.955{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.955{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AE2-6352-B707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.955{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AE2-6352-B707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.954{30B46F62-7AE2-6352-B707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.905{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5804F3821689E9848C306EA95E5BB8B3,SHA256=627C3F4295CF4E618443EB2425263954C3C1EA816799B95738560222471A9AAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.117{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52210-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000355276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.678{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12414C12EA3B0EA3B2B11186E7305D77,SHA256=41A8B662541E50DECB1F7B8FC61BE9F24636E293BCE084A7568219F1F67EF65C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.589{30B46F62-7AE2-6352-B607-000000008B02}87487552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AE2-6352-B607-000000008B02}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AE2-6352-B607-000000008B02}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AE2-6352-B607-000000008B02}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.379{30B46F62-7AE2-6352-B607-000000008B02}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000355266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:32.447{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59825-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000355289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.676{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59827-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:35.939{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736417DDE9B24D073429DDB0F0A219FB,SHA256=871DA143B905E750A73FD0A643ECE6CEEBDF511B1D0F5F87574E07713CC969CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:33.423{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52211-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:35.070{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B81C8CE3A5EB623E47AB5B6A1C61777,SHA256=D829A7FB877C88B576042612AA97461800437829A3F95EFF428E1CC6BE37010D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.192{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59826-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.192{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59826-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000355290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:36.994{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE4E8674C2B7805E54F55096B217B05F,SHA256=428B10962D7ABF87A84E225A90694AAF856CBDCBDB52210F3240668756EC5E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:36.158{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543BB3E887F68F52DA06AE4732858E7F,SHA256=5F2B01B6943BCA0D5D5F2CF5F08642356774792C0E91B1EE7806B69DBF7C1C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:37.238{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A31EEE446B1C0638695A8A85DF4067,SHA256=669AA224F5D1227BB785E554A2637D2F77B0E314317C7C9E9DD7EA5083C93346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:38.332{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D41B8938A1D58ED22164C92AB469299,SHA256=94B0FE556AA6CB94D557AB4540E9EF5A2A326960DE1DF88F50C3099C7CA9DBAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:38.490{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-209MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:38.128{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C1E6613779EAD5C7E8AC0CB5B6E5D6,SHA256=302B40727147AF2D9C7BB83D4647A3F1291745B3D532AD2ECDF32FF1534BF190,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:37.884{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-54199-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000236033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:39.418{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F048CAB49AF22ACEB6CF43156FCEEC7,SHA256=26A0668ECDDB9CD8BBD0B29A75AF086B68186D57974871A8797C180981B4E265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:39.491{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-210MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:39.189{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611212951E1E422B3D3863F8BE1488FC,SHA256=8CB7CE53232E9713CECC6A39D64DAE64EBFE0F1BD6A73C0CC0F2C8E9C48343B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:40.509{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D011B9E18E9EFEAA1C682CDC659FA4,SHA256=D94D3463394082AD61215BF3D6E70305C8D15510EC7AC606D69D219D3157158D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:40.267{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B04339ECA655A4D64065B7A55F26B00,SHA256=AAA9ADFD2973B93613331E85E1B839D5F9E77A997DC1005699C6D95B19F21A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:41.336{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D89B4CBD9C23FB20C3D8A9E45DA06A6,SHA256=F9D5EB5F51FAF63B60F0FC75529CBBDD6A16D6489A28E586B4032E8042D4D642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:41.607{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4AAAEABD4B0C38140751DEAE55B902,SHA256=E896C72F8C868C11ED0438B856EB0793E48E99724570A655C1F9BE097091478C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:38.777{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:10d6:176f:f5ff:fef0win-host-ctus-attack-range-144546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000355296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:38.714{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59828-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:42.682{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CFB2745E2BAEC627720F745F5A31D4,SHA256=B9C17623BDBBE01C1241BC46A485928678F13220E76583C919B60CA75AFF3EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:42.371{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF56F33281A55080F7EE2FC02E2BBE7,SHA256=35C09217BBD690E764225946971E64785308B4F8989BC43201FDB5F1C5A720BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:42.353{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F695001B64BE9EA4458FC5D0E7F7B7DE,SHA256=5915DDE81FBEDA7922927A08263CAEBD8F558330922F773C9F2FA904CB81C7D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:39.340{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52212-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:43.766{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFF987584F1A8612C90F02FE96A5C5D,SHA256=D1799B5F0763F7872E41B8F96D63EA1DA64E8ABF6176DCFCC3D17D7B7B220489,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.851{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.842{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.834{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.822{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.821{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.800{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.791{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.785{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.784{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.781{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.768{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.752{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.731{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.716{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.703{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.689{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.662{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.639{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.627{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.610{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.600{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.552{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.545{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.427{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64374BA7ABE526F01763B618094FCB46,SHA256=D99DD22C2C33F1D7BAB2B1087F6A5945C6342B01A6FDB2FD5515AF309060E7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:44.846{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2DD385669DB6AE4B70C0B89C611ACD,SHA256=FD20963E45659671E0F735876196F743EF9B5A559C5A0C9591A8A3A9EFFEED78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:44.559{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F184C753CF475E072F8DC62F3C10F98,SHA256=025993F17DE406EC53B0D0FFFE124231C4FAA88A864EEE70F31B1ECA4A507E6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:44.327{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:44.323{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000236064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.918{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA556757CB417BD1B211E30E6E690021,SHA256=3273E99FD60E8D625B30CC5825EED23F28C2D8E21A5594E57023645CE908A4A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.864{EFF5EEA8-7AED-6352-7C06-000000008C02}10923476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:45.605{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6AFDEFB812D0C54AA6C665C252D81C,SHA256=83998CFD3139CE19082B9021470DA28B2CD205E0DC6802E186CD42D782D993D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.686{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.016{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7F8E1B2976136AC412B22D4B10B13438,SHA256=92889E61900DE97FB11ED53AB2E8BA22AE75B74E75365175ADDA16169CCC1143,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:44.484{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52213-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.900{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D16765A14C17199B4EB618ADCDFF0E3,SHA256=5151A1CEF4CCF91A98B901254A8EE9E9260ED2680A12DF59A5E38616C2CC71DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.492{EFF5EEA8-7AEE-6352-7D06-000000008C02}31203616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AEE-6352-7D06-000000008C02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7AEE-6352-7D06-000000008C02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AEE-6352-7D06-000000008C02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.353{EFF5EEA8-7AEE-6352-7D06-000000008C02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000355356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.997{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.991{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.986{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.985{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.983{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.978{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.975{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.973{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.962{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.925{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.919{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.917{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.914{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.896{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.887{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.866{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.861{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.854{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.849{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.847{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.845{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.843{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.842{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.840{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.839{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.649{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB3830A437A1BBFA90DD2A511A17A6E,SHA256=AE510B28CCF1E86D438BD0FD5E110A42D827E7C7EE8F0547B10449F50617D24A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.337{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.336{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.334{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 354300x8000000000000000355327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.737{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59829-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000236107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.914{EFF5EEA8-7AEF-6352-7F06-000000008C02}8001020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.709{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0888C4E970444365F1000EA55F3FA3CB,SHA256=C491A5275167D84C8E7EFF8D68132FAA422D1E25668825B2B80235070E0F9150,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AEF-6352-7F06-000000008C02}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AEF-6352-7F06-000000008C02}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AEF-6352-7F06-000000008C02}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-7AEF-6352-7F06-000000008C02}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000236093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AEF-6352-7E06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7AEF-6352-7E06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AEF-6352-7E06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.028{EFF5EEA8-7AEF-6352-7E06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.206{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57440FC6E8B5AE594F300C0B45B846CE,SHA256=3A05B66E2FCD1EA0D25CD1127ECAF8E55364A5055A8F21BEA452428E781505FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.121{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.119{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.116{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.114{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.111{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.109{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.106{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.103{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.101{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.097{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.095{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.092{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.090{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.088{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.085{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.083{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.080{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.077{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.074{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.071{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.066{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.062{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.054{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.050{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.044{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.041{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.040{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.035{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.033{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.027{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.026{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.025{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.025{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000236123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.971{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2EAE5C565CC98C57289FD5A1B31902,SHA256=877496E1B84EA9E3C3815171EE55CD3F4B87C3FC43DE01D434143D25B625161B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:48.769{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3992A8FE06400F4173FE99034C35289,SHA256=9816191BB86CB5739670679E86B98A27B322930242F60716470E6989A3433DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.455{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4811DCEDB3B4652BD2AE8B1B600F2439,SHA256=D3E4B039517C06A74884AD828F041239BE3134E75B26E5C1D5F1DDBE600EA6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.455{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F798FCD15196E17395A47AC91DEFEF,SHA256=08EEBF1DB8E88F547268400125EA7F59DF4EAAB3E840474ED98D13C8E3BA2529,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AF0-6352-8006-000000008C02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AF0-6352-8006-000000008C02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AF0-6352-8006-000000008C02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.378{EFF5EEA8-7AF0-6352-8006-000000008C02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:49.813{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EA00DDAB1C0FA73C886E83DD6C56BA,SHA256=31146E402F862F5A0B10AC9AB8363E2FE4CB825984F062B292A74BD13EC1735D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AF1-6352-8206-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AF1-6352-8206-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AF1-6352-8206-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.612{EFF5EEA8-7AF1-6352-8206-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.564{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D202145C7D3952C297BB53613B7002E2,SHA256=C8C9F75FB40D66EF61359F16F35A5CE5A73286E50A0EAB0C34CAD7CAE4D1C759,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.271{EFF5EEA8-7AF1-6352-8106-000000008C02}656496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.054{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AF1-6352-8106-000000008C02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.045{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.045{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AF1-6352-8106-000000008C02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.045{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AF1-6352-8106-000000008C02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.044{EFF5EEA8-7AF1-6352-8106-000000008C02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:50.858{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673DAD38600E58B7D3D138F1BAF31DBB,SHA256=65C819821D462F01440ECC12C0C8632A7E4A2671EFFFE882701380E42B3FEC97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:50.242{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316F2CD4CD82003764CA46635C7356FE,SHA256=EF08D0692738D64973B8F6C90AE09B6C5BA1EE985B3570E749F56EEAA31DD0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:51.897{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E307E93315FF92F13F108E245AB723EC,SHA256=94DD43A8668CE23FEA98F4BE807A16259FFC5FA2080BC97CF879740F7CF97188,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.977{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.974{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.972{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.969{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.963{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.957{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.954{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.944{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.941{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.940{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.930{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.877{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.840{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.832{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.825{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.817{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.815{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000236153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.461{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF8B39AA2D6FE0E3B4D1280E9D5E9570,SHA256=38C78BF26BB1B75860BE5661E3C4C690845481B9F493913A9F1A07AB5E5324A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:48.738{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59830-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:52.934{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4F6E4C9D0108F30A83D1AD6A5C2FDD,SHA256=66E08ABFD291A29EADD02DEDFBFE2C9982E817BA7862F82CAA1C83A3CE505B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:52.612{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8596CD7982256A60A2523A7CDC3FE943,SHA256=F81882BCB42E062DE13E40E2B0CEFD646AD9F4FE7BA99C9D835973C1C55AA538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:53.977{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8323AFF5CC15269A6C1D7B060641E5,SHA256=D57BBD8BCED184ECDDBD434624D85497473026417EB4C96D21F79417C91AC617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:53.726{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C3ECDE39A4F6925CF3A80934D864C6,SHA256=AA63D0DA1151382B2D6F9C4CF5049FF50E95F9F7301E9975E1F21943E6E5CA75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:50.385{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52214-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:54.811{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0F2EA5D29B24B331B0F72904A51DCA,SHA256=337D4937FF8392142C143C589F203CC94BA9BFFB8911B9B842313463C4B6BCE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.850{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000355401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.748{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.748{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:55.892{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5143F039856E47D000B43C40AA80B3,SHA256=B7D00F5D529B65DE2F2DA8139C68FB812DA397E92E4E4FFBC40B067476A2BA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:55.804{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BBFC7C2C29F2011274ED0CE402E5745,SHA256=D038EFE7D44BBCCB5C61220BE6F7344D7948C0DCFB2359777313F6B6FC40604F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:55.065{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F125FFDD344C357DA4FAD93F3625D49C,SHA256=D074C374CBC1A8B0351EE1A66917710E67B74D8B0F2747F4DDEAAABD9AA6F1C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:56.983{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A38DB2CC6AE06130DB28E663E3D315B,SHA256=AC5BC58C24BE7105AF9B68176E0F18A9901E9C90ECA738E15A3ED71411AB1741,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.676{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59834-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000355411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.479{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59833-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000355410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.479{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59833-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000355409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.386{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59832-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.386{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59832-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.378{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59831-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.378{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59831-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000355405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:56.124{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F40E9C09A8838E0B201256A3BA44136,SHA256=C79CB1F5154C50261EA6B431E05317D3D01A6FCCFD9C37BEFE75A558F7C7817D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:57.188{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63414863B3C9E618BA4D89375DE6743,SHA256=2B5CA0F2AA329EFD6C733D73584DF6AACFF22EF9E1B939BEFE6BDAF15CDB1229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:58.260{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709CC6EF1AED1BEF2055EB0E6ADDF73A,SHA256=3DB50AC25997E95CF54C59CF85E68D69FFBD0155143CB9256D0602A534F795DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:58.074{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381DAE5575BDD79A95B528880F5C2A84,SHA256=18A7E46C12AAD271F48B3FAC3B23ED412CD672FF7054FC307979B1CFE90837CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:59.336{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D917F004B945DE5DB93486A9943D41F,SHA256=709CF353318CA4EBB4706178301F14608606A0419926CB153C16DDCED123882A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:56.293{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52215-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:59.166{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596A1DFF6D948CC7483A94855B6A94D5,SHA256=BD2E70B1B23FCBB5E3F8D58CBE47BEA8345D8E16C25F0235C04978418E0321AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:00.380{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9C4C4E3277095ED085891FF32F8651,SHA256=97968B5CAC3168BA6B98C2C33E5881215FE8A9BB6B1242716BF43425728FB801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:00.250{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F956E2C346BFE0F42452A39D9810DF6D,SHA256=C3E41909A02BAE919581B3ADBD92A38D2AB0897D30DFC70E73A4CE63A4CB7B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:01.441{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7C79FA5D48181FA8CCA0140A208D6A,SHA256=9C1554503C96C5DA7302C89DDA2B45E9025335FD4F01B6D46DF47744C79F8D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:01.327{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E078CE352AC5FC01F63DCD92AFE095A,SHA256=1501DB3E7229F2A1B19DF3627BAC07813114D2D170D57DB0429A84E4D798014F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:01.140{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0E22C7316B3A72BCF8BDE8EEB8B7D657,SHA256=34E7FBF7C7AC9A2F0A431328060F9CC200D88A41C2303DB52954286E3C826B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:02.485{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB58A072450806293CBA112FDDF57EA2,SHA256=A66C8B84EAB55BB498A15E0B09E8AA867437B9FD78882D3D563431AC1048AE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:02.415{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE262DBEB3C98AB6BA1C9147EBEA60F0,SHA256=B97198BAE6DDDF9E0DB4CA739A1C723008DB94CB6FDEA81D7DEFD2C6978A9C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.964{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B18C1651F0B522C150A40334F7EAB35E,SHA256=B1612973BA632F28D2EEE18D92B3BBDC33746C0A27D6E4CEA8F68CC6F9F26C11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.793{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.788{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.784{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.777{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.776{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.759{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.753{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.751{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.749{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.747{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.742{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.737{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.726{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.717{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.706{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.698{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.665{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.654{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.646{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.636{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.627{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.563{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.560{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.547{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A176F3242F52338961910262E5B36D66,SHA256=A035BC15256B250EA9EB5B196E2F447907484B81139A2CC5E658147B6CE1DEA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:03.503{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D238937ED6E10E4927D3C9AC2FE0E67D,SHA256=7D448A0132E4B8FC5D0A8BB7D2824E8EB214438259425E5301CA63EC30E1466C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:00.647{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59835-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:04.596{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984952D0D4C3E63F65D5DDE9E2618A90,SHA256=CD4E2008B979C9F21E331164DCA06104B247766A6859B18B4845C9AD6FD78DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:04.588{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF35136D53FBC50DDFE3826FFACEF92,SHA256=3E21F0356E625EEC269F686261CDC849ECD3EED368A39C0376B48D510DB79870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:04.221{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:04.219{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 354300x8000000000000000236196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:01.497{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52216-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:05.906{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F65AFA02523957873E35BE0A28D90CDD,SHA256=DEF3D2AD92C95F668C3E809F7FCC35D7C2B119E3D5B892B781C55E226DAC3A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:05.687{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E2C4BD6D564995FCA30B056C40CEB3,SHA256=02DBC0996FA08189C7AD5954C9FC98CC6C59D2A5135907DA88958CE8F48E5404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:05.674{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DA57D142EBE00D8549AE855523B59B,SHA256=F2E3F064B1ACDB19FEFD9D2AA5FF93AE35B76FA1A66A675B45178DCE28BA6972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:06.769{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2735567076D205308A8B03449A4D4E4,SHA256=C3810D21498DFD8A0FA04FD6EC0B0717725E397E229B6BCC15636172BF3B03AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.988{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.983{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.979{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.978{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.976{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.973{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.969{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.963{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.948{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.879{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.871{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.869{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.867{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.848{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.839{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.816{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.809{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.802{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.792{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.790{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.787{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.784{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.783{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.780{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B8BDD82EEB7765E7A932D9C27B69EE,SHA256=ABA5189B121E6D16BD84B8F01EE72568230D156C52A705A0C6691C1626AD1929,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.779{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.779{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.677{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33FA3E5716AAD15FCEB449E7C406EEEB,SHA256=A467E45C60F7C33FBF7541D05156BE35560854D5984B56517C36E4F1B1EE1A69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.254{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.253{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.250{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.709{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1FB86F1197F2FF501C7D17D7E0EA16,SHA256=FB1BEBB7E13D9DD69064706D352C5A1CBD79A0CD44682C1BB0A2B30DB11F17D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:07.857{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2639CC597627D3FBC20CA4BF34ACA2,SHA256=E1824D8F00FD0683659226B09073A735A6259E55286B05D08E475CD7D84D17CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.327{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE01B9AF8BD86DEC7D972C464103BAE7,SHA256=5856930FF58765986D3813CED9D985585A55FEC53BC6BB8D8D82CAB861E4DC0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.124{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.122{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.115{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.114{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.111{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.108{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.102{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.101{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.099{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.094{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.092{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.090{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.088{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.086{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.083{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.079{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.077{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.074{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.072{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.069{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.062{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.058{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.054{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.049{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.044{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.039{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.038{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.035{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.034{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.031{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.023{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.021{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.020{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.018{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:08.811{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0944CFE5792C92025B19CAE780BA2479,SHA256=E5319C0BC7CC17FBC27AC7F0925B8155494D00640CA5FEF43A3E2F4B5CC30501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:08.938{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9013A1DD20264842F68AA9B3DD843CA,SHA256=2086FA541C950F8CF9C200794B66C8B034F0B8025028448C9B7DD31E1BD195B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:05.788{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59836-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:09.858{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1BC3C0B0B8F2EB24AB0FD6048F16C9,SHA256=3E49D5E56FA7479CB9F2FE2668C8EBAB67271127D37E1DA1805650082AE9F4EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:07.402{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52217-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:10.902{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C2246E5EDE18043626758587D8A043,SHA256=0B29C77954BC91591EF9D3303485FFA1D0F71A099A11D345A182219D8865136B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:10.030{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6CD8160FB6CB853E59F739853E0CD2,SHA256=659409231361A18866050E361160D7EABE2A9B085574CE8C65F5193BE0CDDFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:11.970{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBECD8807834A572DC82AD6CBE5C6A4,SHA256=43621DE2A2380325A84D71CFC043425D818BF7FBA67B00C5E0CA41A9D9E13A0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.996{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.984{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.974{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.966{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.959{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.951{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.938{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.896{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.882{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.873{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.859{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.843{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.836{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.832{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000236205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.112{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13479B9369A2D965B7B8316892CF3CEA,SHA256=93F87D4029CC14105F70FD5782CF867F80905856FA4F926430A89E949A5935ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.360{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693C07C63393395F14DC6C79F08E6D63,SHA256=D515AEFC6DB56ABA1753B4070E8E5156C2EA11C098B54B90B339C9F828D48D30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.100{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.093{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.089{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.081{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.080{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.074{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.073{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.071{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.066{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.056{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.049{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.032{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.026{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.023{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.008{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000236236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:13.471{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3750341AB2163C9D3860C82EE9035C,SHA256=ED6056E71CB2CEEB4900B02F0303176C0DFBF4B524E349F6792747AFB68D7B34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:11.760{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59837-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:13.119{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818FA1D9130F3B37E67DEC6A3FD32841,SHA256=5F8C8FD4B1FC8FF7878151B9E557ACDB5304C596D1BF28EF30C94E4D0C589390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:14.555{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87B4C8A317885DDF743B88346FFD559,SHA256=E40FA845421EB4DCCBD2E875CB5D8F34703D5E1E9D0185CBC14482709D25D2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:14.164{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BFB09CAD3C56A8BD33BA081FFB32CF,SHA256=B08F8639089E58246C2A29D2C12524510CABF314812954CEC2A892BE4F695B9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:14.418{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:15.651{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AF95268B4AC8233051A86B951EE718,SHA256=03E4DD013F12147BCE2AB402EFD231F6CBAB98274860BB8CDF05D02185F7BE9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.516{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52218-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:15.208{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A35B7DDAE003A498FFF22ECC37F00FA,SHA256=1D97881196B1E158A14743F29AC0EB553FC01CCFEB1E695EEF1A064296ACE844,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:15.417{EFF5EEA8-485F-6352-0D00-000000008C02}7881196C:\Windows\system32\svchost.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:16.736{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8769798E35540574E5F670C70173588,SHA256=9A21B3590753A504FD74384CEA38990D06073A93269BD95FBD8EFBE747EF619C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:16.244{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B220EE5BB9736851A68FAC19A7B44F1C,SHA256=935D4CCBC45E0B9B55AB482FD170FA1846E3EEB38E72D7012F5AADAC0098CBC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:17.831{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74B064C44B5D9590FB20BA21B0F55EC,SHA256=407DB2271F7C001A08325312DE06391B3C9D84E7F7CD0611ECDCF87C594C604C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:17.308{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D62EA8DB09BAB3952F46C845D2B11E,SHA256=D167E73F4DDA9F8A4B4D42EDCF94FF00DE366B522179FB64AB535AC06D602C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:18.925{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA918C348678BA2BC16EABBBE88E846,SHA256=2D0DD76AEDA3A2307E10B6AFD3F000276B615E8BE628579B310E7FB7159A948E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:18.431{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466E33944DCB6AF7C8475AB21B17D2AD,SHA256=CA2ABAA21161A1EA3890FA33C35276E92D6EE63479085FB974DB6AAE8278BACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:19.576{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73392AA0AEB2229801E80DF9A6A526E7,SHA256=B24E18C7B1D41D47339BE42C2E8C9E3BCC822FC0CFA502ADDD415A32FCCD5FCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:17.758{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59838-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:19.723{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=80035C2609156574AF4F665AC9818C6B,SHA256=A0800162919A498A07E0B2248C4FD8A655E4CA183E1271D442D5614EADFB3B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:20.520{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539875E0701741E38E26B08F2C9C7CFD,SHA256=81451CF44305E59E7D623EA086FA1F93D724615E9B4D250C0FA5D4A4A2ADCB29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:18.438{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52219-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:20.004{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3195E5CC6665D164095FEECD6FE224,SHA256=A692FDF278209F9CB2B880ED73A68D4D1614CF79F7B7663CF88CC177B0F593E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:21.564{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1357162AA1D8A34490C19507CC91745F,SHA256=ED3B6B63745A530CCD4C134A04F7B5243D6BE170B8E3F1EE86F39AC6D1055E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:21.110{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB5191892983046AE677B5276981B17,SHA256=75FAFE60DE13CAAF4838C9BB587D2F7AA899F2FB688E511F7C9A47201AFEF354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:22.640{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE2FAE09E94116E76CF5573AE73E12D,SHA256=FD5AB8B58A4A26888BD7B8EED46CA4C5599B56E186E59EDDB58F492E538FC54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:22.194{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCAD0FD6EE224E22A2ED39E27273B4B,SHA256=F7A661D86B877ABB4459F19F37491AC42AD13C1DBD545285EA205C958F3E9D84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.880{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.877{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.875{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.869{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.866{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.859{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.852{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.848{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.844{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.842{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.831{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.818{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.808{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.799{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.788{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.767{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.717{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.701{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000355538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.689{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068344AF177D04BBA4D9FBF996ED5449,SHA256=5DE1EA34DEAC74F762A114E2A3EDB964C5BAC67B775F5533BABA93ACE593012E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.688{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.669{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.643{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000236250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:23.275{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053690D1AAB157B27448E72C00F2F3E4,SHA256=20204051566284442F255C5561F8BF2B2A69287A93962AC238E04A65ACC8DDE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.567{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.563{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000355559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:24.712{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26A530B8244458159B0E60642083981,SHA256=9A31486D33A294BF6F3D7649F98CC064456DAAC1EAC2AEEF55AD6E5A897926C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:24.367{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4368AE537C4C963F46BF34B85D7AD5E6,SHA256=18270A5BBCD3BEC3B28C3FE1E4EF90CA04C10E0BC99D204A9B5F495BA5B52B64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:24.327{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:24.324{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000355561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:25.789{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440E0D2F2FF561FEBB5EDC23F1E25EF5,SHA256=417896FDF96933A76A50AFC42248CDC3B9EDA4A09EACA0FCD436FF5B75599330,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.729{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59839-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:25.450{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8FB1AB008297E2BDF9AA3CBC6D963D,SHA256=A285BCD5B1E2F741D311B395D26540209535B8EB03C05D9832CFC9F92512F473,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:23.447{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52220-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:26.527{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159C3FA3A05AE4BFA4482DF87C2831AA,SHA256=B214AAC2D293FBFA2241DF34EC6F59B20BAB30A805FC67F71C40F2AC3CCAE767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.967{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.959{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.957{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.955{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.938{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.927{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.896{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.889{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.879{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.875{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.874{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.872{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.869{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.869{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.866{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.866{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000355569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.816{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AEDA311B2C9538266CF7D5B17EDFE9,SHA256=18AC1FC27CD9ACEF8695BDF2AB53CDF84F7796C5E7F864830F998AAAED2E2B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.358{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.357{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.355{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.042{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.042{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.042{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.024{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.870{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DDBA5C9B3614ACEA8DC9F6060FB396,SHA256=EF1CCF71735C50D4B2BA414002A0BC5B8C0BC1CDA51456F2DDAD632CA906CBF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:27.618{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94C85EB6EA7C05FB585A5BE049F0C37,SHA256=CCE503C62C22639C22D1952C4DEAA8A123E341E23515B8905234ADF66B42A48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.447{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD358DDF77683298F484A80C8140D15,SHA256=11055B11B9DF91706C1AE5865934401D319F5CE15EF431FBBF67C62963E33D6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.145{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.143{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.141{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.138{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.135{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.133{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.130{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.128{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.126{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.123{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.121{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.118{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.116{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.112{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.104{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.101{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.099{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.096{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.094{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.092{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.089{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.084{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.081{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.078{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.074{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.071{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.070{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.068{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.067{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.066{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.062{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.062{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.061{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.061{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.041{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.037{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.033{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.032{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.031{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.029{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.026{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.020{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.011{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000355648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.977{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E080C00A3C9EAEEDF218E7C076D72625,SHA256=C1722EB6356BEDF9953C76AE29D387AC38DFCA40352FFD5FA0DF683E1A9D035D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:28.704{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007A69DF89618DB64F70ED2187653EC2,SHA256=63329AD1C2724A535DD5666C7EC1F91C85FC5568A05F16BBBBF3444146D06E71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B18-6352-B907-000000008B02}10232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7B18-6352-B907-000000008B02}10232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B18-6352-B907-000000008B02}10232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.695{30B46F62-7B18-6352-B907-000000008B02}10232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.503{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0C070BE9C97BE2C8B5BC48C26E4371AB,SHA256=C1E0672439D8D5CF751F0EF85E790FBAA1C57477DDFE757B1D6FFEEBEC04448B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B18-6352-B807-000000008B02}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7B18-6352-B807-000000008B02}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B18-6352-B807-000000008B02}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.049{30B46F62-7B18-6352-B807-000000008B02}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:28.243{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-210MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:29.798{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB19DE54182ADBC0B1FA68B970C21B76,SHA256=60058EB5B1C68C5B11967408CF4A58C53A283E3ADAF87FBC258D58F350E5D297,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.379{30B46F62-7B19-6352-BA07-000000008B02}89449908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B19-6352-BA07-000000008B02}8944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7B19-6352-BA07-000000008B02}8944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B19-6352-BA07-000000008B02}8944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.195{30B46F62-7B19-6352-BA07-000000008B02}8944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.094{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=614450BD23164A051C226C00AC70E765,SHA256=75F710E708571C5632ADE7368BF18D4BF6FC5438688924723F81991E56BC5797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:29.251{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-211MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:30.874{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A80C22EC77F4AD823F8ECEC4CB8512,SHA256=42C9C6F6A878BAF128610909BE3A850A8FE0A624CBF372BCBB9156CA2659F22C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.822{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59840-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:30.073{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E165A4AC951067A7864747558BB2AB5E,SHA256=3B055ABBFEBEC5FDCEE114916F3AAAB828AD50D9B3C002968749CCD4DB447EB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.998{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.995{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.988{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.987{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.986{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.985{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.982{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.979{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.969{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.967{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.965{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.959{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.957{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.944{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000236274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.943{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68B15887601D8FE420C9C818364AD40,SHA256=879913A082C8B46F9676DDA8CC2CD586623FFCAF1CAC92F1EFAD99AD805D48C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:29.406{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52221-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000236272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.938{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.931{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.923{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.916{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.903{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000355677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.607{30B46F62-7B1B-6352-BB07-000000008B02}98087628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.455{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.455{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.455{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.454{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.454{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.454{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.223{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CF83D17205E1B06001EEC500B2D807AF,SHA256=DD0D4BD38CC05E21206ECFA876F898693E989C864E4E6273518C770EDA566A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.154{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3019A15FE9740C50A108022CB16E822,SHA256=B43BEE25672220471A099A7D4383B2CD586D825D55D050D143A18C3A19DFCF4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.868{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.863{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.855{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.848{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.841{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.834{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.831{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000355684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.884{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000355683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:57:32.611{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000355682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:57:32.611{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Config SourceDWORD (0x00000001) 13241300x8000000000000000355681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:57:32.611{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B51772D5-9883-4A2C-91E7-2B1355A0ACC3.XML 10341000x8000000000000000355680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.602{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.602{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.242{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1956768650DCD72B4819C282D9A756,SHA256=092F5158EB6460640140A3511982FBEBD97437653509247CBC9CB56873F92D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.908{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.017{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.010{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.005{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 354300x8000000000000000355701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.249{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49802- 354300x8000000000000000355700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.247{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local55667-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000355699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.246{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58400-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domain 354300x8000000000000000355698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.231{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59841-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000355697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.231{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59841-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 10341000x8000000000000000355696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B1D-6352-BC07-000000008B02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7B1D-6352-BC07-000000008B02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B1D-6352-BC07-000000008B02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.645{30B46F62-7B1D-6352-BC07-000000008B02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000355688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.446{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.443{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.443{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.343{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413E628B7A1D48207177D84BABD6C504,SHA256=68568DD7B7ABCF19183340CCCD2DA6D1A4CCBDEED89F5EAC96EE8F7398271410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:33.033{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A7735847F3021C72226005AA435F81,SHA256=1AB580D6A2DA0920F4A4A9989BE01D51176CE9405A46B1D7ECB800FD1460193F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.067{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59843-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.067{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59843-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 10341000x8000000000000000355727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B1E-6352-BE07-000000008B02}10104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7B1E-6352-BE07-000000008B02}10104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B1E-6352-BE07-000000008B02}10104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.768{30B46F62-7B1E-6352-BE07-000000008B02}10104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75AB44B7ED7B2ED1CE02D711BE660535,SHA256=9BB962E8A122344B235AE1CCC4A827131B041E2859094BE7ED7063E2314EEE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B83E50FE623D31D4B8974C7A022BAEA,SHA256=08A5B1E8D6E5AB9F152ED6CACE6061F1124A1FAC32B136DA6E20C6E4CB859693,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.478{30B46F62-7B1E-6352-BD07-000000008B02}95929676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.449{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.448{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:34.119{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167E673FAEB5AEFC07EAE6A75E9B70C8,SHA256=7BD933938475FCA05CC5D14D08B6EBBF1BBA628B46557094457160AE5C45A9E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.289{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.289{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.289{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B1E-6352-BD07-000000008B02}9592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B1E-6352-BD07-000000008B02}9592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B1E-6352-BD07-000000008B02}9592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.264{30B46F62-7B1E-6352-BD07-000000008B02}9592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000355703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.032{30B46F62-7B1D-6352-BC07-000000008B02}74447208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000355702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.481{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59842-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000355734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.916{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59845-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.916{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59845-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.230{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59844-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.230{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59844-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000355730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:35.526{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D8FFE86277067D95C9AB696ADCCAF2,SHA256=3F1107705A5C3E5AE5C30FFBA7F07ADE110785EF8486C650F78D407B6D4D901D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:35.196{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DEB3B5DC6F28DA3B095EBFFA53C831,SHA256=4EFD64527E8B7A81166365878233102B0910A500D1A5EB7D6A24CB7C37257F86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.140{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52222-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000355736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:36.667{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524AFB1DCB12E91ABF9B1BEC7A19B6DA,SHA256=AC2B92B70931E8F44B3C9129B8BEB57331C1B556F600E7AA39683C8515497606,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.792{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59846-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:36.281{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AD1098E06C7037B4B2398727AE8A82,SHA256=6988F065C55A97F942B68F20EEA181F2EC58396D591589047C44B2EAF393E4A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.622{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-58090-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000355737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:37.668{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2166C27921F3261DFF649093524D1690,SHA256=2BBA45057D7E3E0CFECF5F6CF5BB9B2C228026B2EF746D7890AE9253B3A07D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:37.387{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264665F12EC8AF933B6C88E4E638ACE2,SHA256=593869301F631D503A842BBF32E2FB121A2F945DBB27AD3AA3D576ADA3D56D1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:38.713{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4B1F1D233A1DA1A06F4F53837354E65,SHA256=479B20DCCE9A4CF88914659AC7644A6E67EF2B13C7457FED3E7C0780DC21EEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:38.479{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C65C516D1459A4A9F292D3E67545BF,SHA256=A0F6A519879C0E59785AB75C3D5DA41CC615704CD62F5710DA0B92584705B7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:38.795{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6B0E0BAF5A6A50766BF5E3666D1D85,SHA256=1D904F0BD905EE189A038343A71BB7C4D325A15E359A483D3C3D6740B47C8C40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:35.346{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52223-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:39.563{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D229D69954A4B383FEAA1D5ED92C459A,SHA256=5EA115E9C39656C5A1D4E922B0F11B1288A9698D750CE2E24C477C52BDFE130D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:39.897{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2F35052F5BB0DD4546CD2272459D01,SHA256=6E216567219E1C31EA5341ABF8691D827D8E58AA64CC24A7429A85A109CE77CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:40.948{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707E326D0C64F527B629B6E1E700DE4E,SHA256=303890D1B38EF9A63F573DC36A39044BCFAF540432D58668FE5B42280363742E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:40.661{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D64B7B645B226073B5AF9623122F3F,SHA256=726E854DE29C892FD16DCCD235ABCC10102AF0554C2761ED10675F1A3BF5BDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:40.003{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-210MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:41.736{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B24DBD56C86757E440B9D3813D3C861,SHA256=5BE86DECD4C77FA6F786114F58A1004FCE68B2496EA08EB86EE7F81BF4A2792E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:39.856{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59847-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:41.017{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-211MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:42.813{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6788195D266BB01F226FB92F14DEFFD,SHA256=5E50C0CFF39D1E89622414FD3EC9CFA742B29A3FFEE84027DDFE0EBBE13B9275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:42.074{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA5137C84999A782694A8F9368F17F8,SHA256=E03AA6ADEC55C6000779525A964369F12AAF920F8315A110E5B225752F58473E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:43.911{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED8D01475023BE984E29DB91AFB6A48,SHA256=739C7C2BBC2D1268621B7939B4969D3DC0BBE041FFEA591295692FE48791AA48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:41.324{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52224-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000355768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.855{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.851{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.846{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.836{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.834{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.826{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.814{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.807{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.805{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.798{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.784{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.767{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.742{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.728{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.718{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.708{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.667{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.643{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.634{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.603{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.589{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.551{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.548{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.116{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC52AC065EF4A3057DE2D1B2944A626,SHA256=98398EB2FC84605F8F4F0F198BA8CA75DEF757F053B94A26D15A8224F33D41CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:44.277{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:44.274{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:44.162{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4207504969912CEAE4C0689254715900,SHA256=93A746170F5F81763DC526E589859C51FDAFAC7B9933E580F08F1C06DB9FE262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:45.217{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1888DD1814750A4DE907445372808704,SHA256=802C6C76EE8C7AA87587C62FF471540C09FEFB093F97A6BC619E04CB218F7CF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.724{EFF5EEA8-7B29-6352-8306-000000008C02}3403440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B29-6352-8306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7B29-6352-8306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B29-6352-8306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.537{EFF5EEA8-7B29-6352-8306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.103{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197F0013241C4A15D1FBA461A05B36F5,SHA256=035CFF9F5E79CEBD503C800A8CFA57280399F13455ED4DB2FBA8A7EB59E54E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.088{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5E64A894699A73C8EED28843002CCF06,SHA256=9C9AA552606CFE92DE31DBFA7BA6917C765BA6C6E0D2AFCC5FA7D7EB8A179B42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.999{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.997{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.995{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.992{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.989{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.979{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.934{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.927{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.926{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.923{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.899{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.887{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.867{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.861{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.852{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.847{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.845{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.842{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.838{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.837{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.835{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.834{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.320{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.319{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.319{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B771332A57C161CF70279B719377B3,SHA256=26939C30624214FDA96E5235BB09CFBAE065E3471EA18B6BA29158C42B125D6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.318{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000236353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2A-6352-8506-000000008C02}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7B2A-6352-8506-000000008C02}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2A-6352-8506-000000008C02}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-7B2A-6352-8506-000000008C02}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.666{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DD367389D6356824E378E28427D5395,SHA256=9EA4DBF4E63B66D2968DF9E26283FAB807B8067F621CE88C69EF61EA132FEAF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.354{EFF5EEA8-7B2A-6352-8406-000000008C02}27402436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.185{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D81CDEE83C23C44BB5F071A8DC6A62,SHA256=A318B47631376860393B2B1AF0F599BDF7C51F65D1F80531B5030BDBBA01B230,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2A-6352-8406-000000008C02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7B2A-6352-8406-000000008C02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2A-6352-8406-000000008C02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.154{EFF5EEA8-7B2A-6352-8406-000000008C02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.060{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\aborted-session-pingMD5=C9993DEE0297F82517BDF9C27029D86C,SHA256=B2A8290D2835C2E38795F659CACEA2517575114E2B0593D77C2E9C7BB1D539FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:45.662{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59848-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.564{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7297CDE09C8484897BD39DD0E3BE4B12,SHA256=7F4341C9DD80407A372FF8BBEA033C093030FB39F4293DE0CAD8B439FA9B8A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.560{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B93C10218BA30BB14B6A87106E60CC,SHA256=C7E94F0A4E3C37375A13262D6B12855487A1F06AD0E7F0C12D455A63561B14E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2B-6352-8606-000000008C02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7B2B-6352-8606-000000008C02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2B-6352-8606-000000008C02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.442{EFF5EEA8-7B2B-6352-8606-000000008C02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D471784DF0E7C7059ACD42BBAB9BB9,SHA256=859F02F2317558A4CEE3C1BCA29D1C81A8577BD817E46F341F8944EB6BAEC7DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.118{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.115{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.113{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.111{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.109{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.107{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.101{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.097{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.095{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.091{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.089{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.086{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.083{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.081{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.078{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.076{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.074{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.071{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.069{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.067{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.063{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.060{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.057{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.055{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.051{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.048{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.047{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.045{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.044{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.043{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.039{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.038{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.010{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.007{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.000{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:48.609{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BF49D3711073B06630E1E4FDB50F15,SHA256=671BA459B8C201AFE8ABD577B84CC4DBA25378B2A4D27B30519DA587A9E14D03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.940{EFF5EEA8-7B2C-6352-8806-000000008C02}4162736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2C-6352-8806-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7B2C-6352-8806-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2C-6352-8806-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.785{EFF5EEA8-7B2C-6352-8806-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.565{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A3ED87D6DEFEE44FF682CAED518CE9,SHA256=2FF9FA91A3705CA4BA51F15BBB1C4653D78AD1DD6D5822035784274FD23AFAEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.300{EFF5EEA8-7B2C-6352-8706-000000008C02}8683216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.111{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2C-6352-8706-000000008C02}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.108{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.108{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7B2C-6352-8706-000000008C02}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.107{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2C-6352-8706-000000008C02}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.107{EFF5EEA8-7B2C-6352-8706-000000008C02}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:49.679{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B20F634BE29E0B5991CF52FA728304,SHA256=7F9A38E6FED74E65B32562734DE033DFFADBBF6EF34364EB85CF072A5946BF7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.889{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=08372EFD8092480C42BC0205624CBC34,SHA256=B5ACE36AF5A3865F05A01A1D3D2F213E7BE3EF344BEECF87E8EAF94586991A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.732{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF2354072AC401D7733B42A4ACAB783,SHA256=20129449AB9439608140C7EFEBEC427FBBA971D552D658C1FAD128540822F4A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2D-6352-8906-000000008C02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7B2D-6352-8906-000000008C02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2D-6352-8906-000000008C02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.452{EFF5EEA8-7B2D-6352-8906-000000008C02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:50.721{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BD39B3C42919E88536A1E99723F9F1,SHA256=0972E281A092A48FAA84A81AB52027FA1656E5F653924DEF6C1A850A79967899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:50.799{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285D6E0B0BCFF8B3F3983B628735A33A,SHA256=BB4B85D0CEBD82B816D2955540808239B72500BCA58DA0576341BF1D6FBDEF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:50.556{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=4E1330E386BCD4D62D247C3A6EEE87B3,SHA256=700E1DD37302D33472E80F2003DA45E9ECD72448027B22415EA90E416BDF5531,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.328{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52225-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:51.839{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A459649F007454C8BB39C4A499FC694E,SHA256=332E7648B8A85CA763EF89E30FF350ED2B3FD29297074CE620E88EFAB377A8AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.993{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.984{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.982{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.981{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.978{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.977{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.975{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.974{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.962{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.951{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.944{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.936{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.899{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.892{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.885{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.877{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000236421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.873{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F68EDF0B35711E152251F97A802A17,SHA256=B726D8624D8FE5DD3F11DA3D34974781E2CDA159011C3B1A723C0B7CD779EEF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.852{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.846{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.839{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.833{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.826{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.815{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000355880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:52.938{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224428563C1B10D4217C2552EDAA23B3,SHA256=C13076C0EEADD61181AB031494897E9C6F503730A7D15E016F282217B1D7F973,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:50.666{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59849-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000236443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:52.000{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000236444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:53.019{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF16782579EF8C6190E9A383B0902973,SHA256=B36ACCDCFFB74D4B90126DC3CC262332502E51DCA570FEAAFABDB67FE78DC39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:54.057{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BC806A72FA60325E22B149BD3C0D60,SHA256=4E79A6D3C209D2B8110F61A14C0A05008B9B8DD0003E9FC6143EF783459AFE9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:52.471{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52226-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:54.155{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511A2507520D03FC2D17D22E2CE2FC2E,SHA256=CC8A36B6BEF5D6734EC4059B9D34D8809292C6B62CB265D0A9C96F61B781A004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:55.144{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DA07057EC6DFB1ED972F99EC8300D8,SHA256=5CB08BEFA9BA7729E5D7F231E7C7D30B2D69CAC0E0DF630DD081E5F3FAF87FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:55.232{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1028B6790037184D8A190B6672C202C6,SHA256=925AF803793BA20B42CAF799B6E082ED2A17259B8DF006D9928EBE2CF2B1805C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:56.230{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3DDD79A0584C7660BE30ECC0715787,SHA256=420F94F46EBE75F952C7BD0BA07E06FD9BCEC1B46F48CCD0419CD278114D7982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:56.320{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D3E8201B693760AC184BD2023B4146,SHA256=B00AA5D887A7F1BF723C19C6C131E0DA98813AE8BF880235F79FC2B96BCC3B03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:55.842{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59850-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:57.315{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4642FF9C31878D7946F2946AA42291AE,SHA256=0D05E6D9E4A62B53293A28EBB32C99027D390595B39B9C0450F82EAAE8DBF219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:57.404{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D10E62EAA2D35ED37FDF7DFA322CFD,SHA256=BB3273D5DB2C13E7E6496A61C1005B275D1231FB0E914A426732E841B1A006D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:58.401{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF790E1D3275942575805099CD017FC8,SHA256=65A4167B5F0D12FBB5A1FB951D8CD33732DC6510938487D0CDCE2A7A992B243C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:58.487{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8059B46CE3E07E37653BE326688D24C,SHA256=C425270438381B6D8E37577EB9E7830088C1F51FEE51874AA5036E820B37D9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:59.574{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EFECDE7FD681D3D20CD33B2A123265,SHA256=F5403704A6B75E5B32F8627AA16FEFD4AF7EF172950E3172BC9808E0A2C0440A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:59.449{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570AF8CA837557DBF44D059015A387AA,SHA256=30208317A6DF7E366B10B24B7FAD819D7412186F738F89761E2834FB36091984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:00.668{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF0C202A3313D66969DFE9805804DCF,SHA256=26B9931BFECB43D3316046CC94FFCAE3C12CF1AB6D9487CE8E85C284251E12D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:58.425{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52227-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:00.567{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAA5B3FE9E4A8E04ED6A47133A5EDAE,SHA256=F13995C47D19022BEC30B5A713490CBF7096D0A38269FE1FC877AB31D240F2B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:01.748{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F96731DCE9CC995B51A9C09CAA1AF3,SHA256=6644F13E76DEA81E53B514804E15269BC8206337A9514E5CF26235D36F56B4FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:01.636{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CCDCA0F0F088CF57AD6623AFF19A12,SHA256=4CCFAE73FDF47107607BF879478E6C242F4D440B915A09AB1F1FDB2B8E5A5332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:01.320{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=470A4D1BA19F1E198E8B3511CA897875,SHA256=29BD5D30EC3E84B8646CEE60A218CAAB0A96219F129AA2FF68F651337B5F6813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:02.833{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38526F4802851428983EBAECB006E006,SHA256=FF3D045A686AC276157A80035691DF735E81AC26BF763839FF7117A1313427A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:00.848{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59851-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:02.738{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8641E3B03C229F57D49AA46625AB22,SHA256=591D6B2D1D9EFFA4B415C1A67F3585623A75E55BD67E583C82E33A353043A460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:02.221{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=1A309EE863548758AE5A66C52E4E0F93,SHA256=0AC0E8E90B274C0F29B14DE9B78DA1F5B37CCD6FEACDC36DFB96C775A1E573CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:03.926{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49167CA870572212E1ACDF817871DCB4,SHA256=C596EA09A1E1E42039114173F47D105E3DAE2B8A79B71DD2CD06473DC10254F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.965{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=90340AEFBFF2DC3210675132728BA956,SHA256=B7B0825E9DF36515B98969132D6660EC06C0273A4BEB15C15E54D855F6F1AF39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.879{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.874{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.871{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.857{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.853{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.844{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.833{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.830{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.827{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.825{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.819{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.812{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000355905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.803{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2478DD3C7FF1977C26F4BFA3124163,SHA256=E3656FBB2141D95AC3188EAE073F8EDAEDB76F94936DBE5E7AD6EF47485C24CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.793{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.773{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.747{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.727{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.683{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.666{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.650{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.633{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.622{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.548{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.542{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000236457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:04.996{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA8D6D47A6368EF7F542D1AE86F93A0,SHA256=492B1F6EBCB0AA60AB7966FD754B60A4ACFD63B473ABEB6CE9EC7E0ECA03D9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:04.853{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09ECAC4F83B7B03F7DD212C68C5D6523,SHA256=709314ECFD02CE4206C9D7153F54FE313D2587E77E358F8DEBBA0A77ADA4F299,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:04.412{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:04.409{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000355922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:05.964{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0121D89F1BC04BC61F098645AF9A7079,SHA256=57CAFFD76A77EF97EC240EDD838FA0AEA4F5708E0B669B3A3B82B2D3CCB08005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:05.909{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FDA46F61FBAB715CF26E598726B736CE,SHA256=A231FEFABDC8DA30D2C4738561509C4FDC162913AE13F15ECCD90C5F6919A0B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:04.380{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52228-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:06.089{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7F8511ECE328AB56105315B3B785C2,SHA256=DE03E5717596B3E987B27B373D512EA9AF77BEB5226E0182D8B080E866E03E78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.985{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.980{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.973{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.967{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.965{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.962{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.960{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.959{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.957{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.956{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.442{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.441{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.439{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000236461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:07.179{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000E9C7B353B8636ABB02831EEDA35DC,SHA256=8FFD3C2142C8DFDA5AB021CD6234297D90F000DC4B53F461F78355E745998FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.481{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC909C6F85B6238CEC6EB8885490711,SHA256=D8744754929CC434BED7096315B03B92D90C4D3142113C7E4C4B8A181CFD4F3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.273{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.271{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.269{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.266{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.262{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.260{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.257{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.254{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.251{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.248{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.246{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.243{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.240{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.237{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.234{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.231{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.228{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.225{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.220{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.216{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.207{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.203{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.200{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.197{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.194{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.190{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.189{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.187{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.183{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.182{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.177{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.176{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.175{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.173{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.135{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.125{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.121{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.121{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.119{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.117{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.114{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.112{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.102{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000355942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.060{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F60082E5D880CE2A102BC868FD7C17,SHA256=36D211A1F024835EA96FF6018F00730213ECCBFFFCE3A00B01737B66CCD40E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.059{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.052{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.050{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.048{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.026{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.008{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000236465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:08.709{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:08.709{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:08.709{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:08.268{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DFEB6919C53ED7A3F71C23CE8C4C0D,SHA256=86F6AF5F96962CE1A643E7000776AC8705A155FE4FB7F9B544DDDA8C53F34487,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.787{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59852-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:08.041{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66898D8808E870990A829BB55E2CC0BD,SHA256=5C96CD7EEC7CD60F3B893A3A41A0E8A00C4B1886CA5EFC149B4BBDF38C59E29F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:07.179{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-59994-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000236466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:09.360{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5F30B3C6FCB9A1A341D3790D72E908,SHA256=7316DC92B34F9F6B21E733D3F2C4E5DED6B0D21E128104378C07B24A7C5967BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:09.157{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62509F8105029329EDDF4182B188B6F2,SHA256=6B6F23FF00826AF0967050F9302647E2228FDCB33D832054378879D1439685CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:10.444{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9279100AD5649CB9D161481723978F27,SHA256=C93D6E2974A50AAE5F0BD03079CBF4C9180BDE074453147B8F36EADBE5549F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:10.259{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A634E4F0C249856515F24F658130A0F8,SHA256=875EE015F30217250801F9579D1E171C21B9B4B320FE8D157754C2569619AC14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.996{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.993{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.976{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.971{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.955{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.947{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.939{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.930{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.909{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.904{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.897{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.889{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.876{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.849{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 23542300x8000000000000000236469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.516{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6C4653130AFB278996C0CB57AD0E2A,SHA256=F786A3F688D319EECCA983C113F6663C49D697668CB6352A0F82B9D1764EE57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:11.279{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8159682CFF7B17CF724AD851DDEEF2D4,SHA256=CE79F730CA8DC3F682AFB5428E39A7D7CEE6C75CD1B7E38B9941D8ACA135C65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.785{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083456C22710AB6787CA8B797960BD77,SHA256=7B87F60AF60C6E7D590393375CB32924890B189F7EB408B90F3D00449D8FBC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:12.362{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B2387DA9D4B556CF7C05519B812C4E,SHA256=96B6B919B972061DE8C33DED6BD0E1B99186BF72CFD80EB818E8F97568E1DAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.466{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=396FA83D335579C915CCFAA570CCD519,SHA256=8F31CBFB1C9A0E78AD80E073F65E993584BFD52D88E655E44A7D8D98295B2CE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.033{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.031{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.029{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.026{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.025{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.023{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.022{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.021{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.020{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.017{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.014{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.006{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.003{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.002{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 23542300x8000000000000000236502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:13.875{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628BD1A6A3BF7DAD2E5E3379F6C1C0C1,SHA256=78A01FE573FB8F07924522BC317D79AE63B5186FECC04B74F55BBE516E598D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:13.381{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BFC7520965A545D28AB07F88B220D8,SHA256=3DD6F49F1CC4202AFCED11E33D1302CF6122D074B21C8B7285D67A1A032C17D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:10.297{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52229-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:14.942{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A849CC723C9E7FEEC45E85A13807031E,SHA256=531684B9D1D88FACE81120B4C2388AB3B031A6C9CEB772ECEF91DFF7F4B36687,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:12.691{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59853-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:14.435{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB0AF0F1A156492DE7981B392FBC851,SHA256=A4179C74F1772C422DC6FFB3D860704B19B790C79DE025955DFD911152C65CBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:14.431{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:14.417{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:15.952{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RFc6f2d8.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:15.468{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5458C2B78E9A8118D5A7E2C98B4FFE53,SHA256=98894028B31D2CAF260B8D0F0F4C7A5B61D5ADBEE4F428AC47AF946A71429BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:15.113{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5AF0CA7AF8FDD36F742655EF9B652B63,SHA256=9A0946B4696874E59624ECFF7CB8E7FD81AACD861544EB792BE61B3D7762C8BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:16.568{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A78CC0E0310FEE355906F81A6F6CF9,SHA256=BBF6A61EB1621EF5D91567ADA73863A5421497F5B80461720A98827D0906295C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:16.038{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713E0A540AA698F37313159432E26934,SHA256=F6B8B249DB16549E4E0594178D0E12EB9EAF6A64E12D7CDC5BCAAA7A1C08F253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:17.613{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420BA268A52251F4543105C28A461A4C,SHA256=378B5E2BB4458125FF5569964B6343A554D6AC5D9B2965560D9ACC9B6EE3E2C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:17.132{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C5E12A9B0199DD344AF79D67331497,SHA256=E5A53D5B89A0C549A54D3290996A9AAE989502BE19929D70E9A8E31D9E6E3813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:18.714{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BC72ECFA485A9766A683DBF0AB4F7E,SHA256=0EEB5B6612CE74F4399DC922B8AA4C8D316ACB5B42D271439AC0A2DCC576FE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:18.228{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D7855658DE2CC92922E1222DF1457F,SHA256=48554A0AB32DDFD2D29243F4458E91121708B3263EED70DCBAE7B056635F8D15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:15.427{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52230-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000356002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:17.868{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59854-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:19.741{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B94F16EF58301DFF400258041C1FA2,SHA256=92E30ECB3E83E307B25C7BB66561D6349BDD4C795B9275B7D19F954E85626AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:19.313{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C973A4C09A39889A839E6627176FFF,SHA256=C40476112D15A708E320D5C1D2EEF170597C9AEDDA0A0661010E57A85C6DA3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:20.816{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5BBADBE09077A0E2838E13030BF1EA,SHA256=3681B853871E7A28DB2393C327E0C3F78E41C86472EA7A1D67DD4EB3EE34F906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:20.386{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF30BCE35A14BF6974A2313BBCFB00D,SHA256=B152CC52C56BAC5FAD1C5FB23AB8F61378092D7DE1BC64264A506A7D84AE3C1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:20.492{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:20.491{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:20.491{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:20.063{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A03527E18466B11BE68A9230CBE300B9,SHA256=9C37BF92838391C2264AD75A57FB0A53AD23220E7F3A36C4BA741BB4420E7999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:21.917{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CC117BB1F8FFCF23A1CF66BF50E705,SHA256=24ECE726E82BD50AD128AE5538A9518657A365E5B1ED6F639D1D9B8C15C629F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:21.461{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319480097B6552A16B3232D198204CFB,SHA256=C688B396521E23336E5DCB84B17351592BD1B2B2F517C495F404AC7CBBC3C05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:22.993{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048CD995D0475BCC2741DA8C19F69F1B,SHA256=4C43BF66B138F6E02AFEEB7C5E5F72BB7ADC5FBD1ED4DC008E441B6D1E51250C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:22.553{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8500397C46EBE08C38E1BA3988F5BB9E,SHA256=DFC4CDAECB475FE52E18A5D30CD826B0DF9C4E2DB5331A0480B9FE86EDA97AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:23.633{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A554A3EAE342BB792BCD0DE53F6C799,SHA256=E61F712DAC19A09D162E413CFB084BBF49870A633143584A60FEF7A100F80E8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.840{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.837{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.833{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.827{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.825{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.818{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.811{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.807{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.805{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.803{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.796{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.783{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.765{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.757{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.747{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.738{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.709{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.694{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.683{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.670{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.655{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.576{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.573{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000236520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:24.721{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5985AF471A16DAF0186169C48AE616C5,SHA256=204BE8E8EBA539198C0126A12FE8120F82C814F39A047E638AFF395A177E08DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:24.250{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:24.247{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000356032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:24.073{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A410EBA71D965611EA75112900E77277,SHA256=BB46332BFEB7E8D444E0579109003EC810EAB1CED9543C823EBF9F9929E04072,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:21.430{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52231-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:25.828{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11FE98B793ADD9E6B1AD35F5250E2AC,SHA256=512A8E0502B9962E9CE97978303313AE8E5C490085F3FF1665E6FAC156C24BCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.824{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59855-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:25.161{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FB3D0652444F112CDD2160C2F40FDD,SHA256=5AAA77F4B4E9E1B63BA264716D518D61F302791CEA3FF45D51D5A6F56AF54BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:26.934{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E931A5A0729D54BF91E834D724D8A9BC,SHA256=697F7A3A591E988280A44F3A3F3B434849F6658A63063FBC4AA443ABCCBE1C2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.995{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.937{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.931{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.925{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.922{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.899{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.884{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.851{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.846{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.837{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.833{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.831{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.829{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.827{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.826{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.824{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.823{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.297{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.295{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.293{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000356038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.199{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FB6962F3C9291A7A2356E87E2566AC,SHA256=482D4DA13922CCF80ABA8633AB1EE858000DD69CF2323C322C02E5D66FE25C0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.023{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000356102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.647{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DFE34E92F0BEA31F5A6A1317DFC9F2,SHA256=7C9D64C1C659938BEA60F55B9AF5A94A779A4E4E5473DC93477FA3B0A18D4161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.647{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B230620FFB5DDBF79DEA8C2F509199,SHA256=B291131D42BDF999C4DCF622205E5A53AEF8862CF7262309A7E0C4FE25C02D42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.195{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.192{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.189{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.182{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.176{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.174{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.165{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.162{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.158{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.152{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.149{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.147{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.137{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.134{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.130{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.123{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.121{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.116{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.113{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.111{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.108{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.104{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.101{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.098{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.095{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.092{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.091{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.089{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.087{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.086{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.083{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.082{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.081{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.080{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.051{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.048{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.039{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.035{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.034{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.029{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.025{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.017{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000356120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.747{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E249D78A6F59E051D2AC25D8852D3D4,SHA256=FD2DBBD1B31EA3786715304F10A6CE472F869C0ABF5B4CC212061BB87EF249A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:28.011{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CC43A05F923B729C16BB96F0207EF5,SHA256=B4D8877602DA7FF4EAB25CAEACAD3E04A540894F30C7B9F7DBDE34377CC1336D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B54-6352-C007-000000008B02}9520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B54-6352-C007-000000008B02}9520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B54-6352-C007-000000008B02}9520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.591{30B46F62-7B54-6352-C007-000000008B02}9520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000356111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.295{30B46F62-7B54-6352-BF07-000000008B02}86805152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.062{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B54-6352-BF07-000000008B02}8680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.062{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.062{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.062{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.062{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.062{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7B54-6352-BF07-000000008B02}8680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.062{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B54-6352-BF07-000000008B02}8680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.063{30B46F62-7B54-6352-BF07-000000008B02}8680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000356131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.764{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AE135DE06B39B11558AB8C27F9467C,SHA256=35FAF3C9F0D1BF3D6F09797EF8197B1696E307C7F76230924C1B6C9A7E96584D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:29.773{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-211MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:27.275{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52232-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:29.204{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE0DE54FA4ADD35036A4ED4CD90DC90,SHA256=EF540B0463EE720BCC116CAF418D6ABD6B1964E5AF60B6CAA5E61F6BF9E85C61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.114{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B55-6352-C107-000000008B02}10208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.110{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.110{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.109{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.109{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.109{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B55-6352-C107-000000008B02}10208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.109{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B55-6352-C107-000000008B02}10208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.108{30B46F62-7B55-6352-C107-000000008B02}10208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000356122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.093{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D360C70A3EF2E87A027C338AB1F90A3,SHA256=781CCAB673469ACE258A4A39C1900BB76D453F441A6E1DF6827399382A29BEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.051{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3C595633EAB5959870C12C7B44707631,SHA256=3C7359BD720D8F22A6E766B1BDA876037A1E26BE5B02FE004626221172B1F365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:30.781{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28BE8A613501971D4560465C5FFA1AA,SHA256=87D17CD14C4DB07D572100E04B49835410795B1ACF079F6DA50B9FFC61F47BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:30.777{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-212MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:30.293{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728E298808C629B00666A5ACB4E2803A,SHA256=B5778FCEC2953E2F7A58CF2FE4AC26AB09B31843307C86F11DFA775E3052B1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:31.870{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA20A2150D4178BDB28480154EE9A3A8,SHA256=CF6B9B55143D274E74A918792E3214CB883DA1EFDD18C80C717F17EE90F66AC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.992{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.990{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.988{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.978{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.976{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.950{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.941{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.930{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.899{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.845{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.838{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.830{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.823{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000236529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:31.366{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5D0DCC0324B73085941640E42A2946,SHA256=F2D082441E04EF4B44C4F601EDE7A26E5CC2BFED38EC6781C4DB4E654EFCE9A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:31.635{30B46F62-7B57-6352-C207-000000008B02}50809576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:31.405{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B57-6352-C207-000000008B02}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:31.401{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7B57-6352-C207-000000008B02}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:31.399{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:31.399{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:31.399{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:31.399{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:31.398{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B57-6352-C207-000000008B02}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:31.398{30B46F62-7B57-6352-C207-000000008B02}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000356133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:31.381{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DF92F847FEDA0AF30F284810034A8DF9,SHA256=D9BE800E18A55AF554DEF1133DCCC335D3E51589C056272C8F10A5A63F64DC5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:32.927{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBBBF4F3B156E0FBE22EC3082265EB2,SHA256=60FC032FEF1F934546B19F10471B20CA72364D81BA87B1CA8C9E8A7298F4E6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:32.911{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.932{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.601{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39EE9A1CA0CFB73902A541F5F069139,SHA256=40424ECD26E20B351C370D7B45783A4679FDC3A94B934E633A3D1A28FC7BFF4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:29.703{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59856-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000236558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.022{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.018{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.016{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.014{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.014{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.011{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.009{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.007{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.005{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.002{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000236561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:33.766{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9DED6B7660C7AEEC3C941A6DDCA775,SHA256=CEE8460520867004A291BEC843B46811B39D7D345698EDEAC3338DF759709A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.972{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFDB2BE488BE09CE5B6D8C3E1FC6C19,SHA256=E8FE3C99DBC3A202A1C1BC3D6B6B6975C06079E642E3BB0F15718A9098F2141F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.873{30B46F62-7B59-6352-C307-000000008B02}93842420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.656{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B59-6352-C307-000000008B02}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.656{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.656{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.656{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.656{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.656{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B59-6352-C307-000000008B02}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.656{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B59-6352-C307-000000008B02}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.657{30B46F62-7B59-6352-C307-000000008B02}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:34.849{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B09D3BD5FB903F60E250E7A5BA602E,SHA256=5B4DF66DC5F3AA612B578B379CDD5A20D60E9D638F771F795C750BD70EC5367F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.164{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52233-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000356175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.873{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B5A-6352-C507-000000008B02}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.873{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.873{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.873{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.873{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.873{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B5A-6352-C507-000000008B02}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.873{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B5A-6352-C507-000000008B02}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.875{30B46F62-7B5A-6352-C507-000000008B02}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000356167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.708{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75687127C171DD9F20377F89A40DCA68,SHA256=CB2816337AE35A7AED6706C8F924578024AD78B155362D1D25CBAFC82438AC8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.457{30B46F62-7B5A-6352-C407-000000008B02}755210140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.257{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B5A-6352-C407-000000008B02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.257{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.257{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.257{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.257{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.257{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7B5A-6352-C407-000000008B02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.257{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B5A-6352-C407-000000008B02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.258{30B46F62-7B5A-6352-C407-000000008B02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000356157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:32.525{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59857-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000236565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:35.933{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B8C183CD401A44ECD34E640967AD3C,SHA256=6C4EB7798BBCEE19892815AEE46865B0C520A473194C33CA69A166F17A6F4B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:35.081{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A235003AF8F1C918B4D3A02DE7D0B8,SHA256=3E487664D8C21F553711DAC62DB478871B1942A16AED6CB0246D716A4A137C8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.230{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59858-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000356176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:33.230{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59858-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000236564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:32.446{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52234-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:36.074{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A4DE0391C11D32A4A11642FBBB6A5E,SHA256=861181427FA8D78B80389C9AFBAD5B59F8480D2E00B8E4E8236CF43FAD609203,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:34.840{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59859-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:37.106{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A094D71CC4D3635C496E6F984ED7D17E,SHA256=FF4BD93CD1B0646D4C6E27601A505D892774FF1042FED4CD950FD523428A8373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:37.022{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1275F8442A8D048E375EEE242DBAF1,SHA256=C30AD932FED50F8B8F40B6DAEB12981E7BD43349D54C22C6E5E69FBFC16292BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:38.208{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B080F3A0C34415A3A97CCBD41A6AE384,SHA256=84C101DC9A6715B7D760458289163B5988913459ECFEE85A82E94D8FD8A8BD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:38.106{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D174EA2B2F785BA6101A727A63652C,SHA256=2355AF3D4C9AF68BA7F307EB3B429B0B92A7116AFDA4776A012AFDF40E64151B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:39.231{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD55520E2A8469A0BC82AC3972D41D5,SHA256=7C2CCC7070BAA4E436D69A4D06DD62C0EAC4169EA055636A6486CDD499E17619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:39.196{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61F38AB918DB88B0E10DDAB55B1FE0F,SHA256=0DB14CD3C67738C9EDD024C212CCEDCF274008944F251114F2E45FA3F3BE926B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000356183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:58:39.130{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e53c-0x1341da71) 23542300x8000000000000000356185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:40.370{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D28894DF4206F8A1834EDFB7CE89B7B,SHA256=5F351B474ED03AF635182BECCB2D20514E0211D68C54B8C67696E0C01684F818,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:38.405{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52235-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:40.283{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0823B358ED6DEA981CF97A19433E99E,SHA256=64FCF70DC181B0D249F1264406E77D44DCEA35B8BBB7A5E18FEA89A5A73ADB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:41.533{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-211MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:41.486{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3566D15A00BF81773954677F162EEC6,SHA256=F079B1829545A5186EDB54F1F5AD3D68541BD63882AA5F7CD99A70BF716B09C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:41.376{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB920995A6F43082A46F6A3CD21D371,SHA256=B92DDA59DC9007CEAF7CDCF5DE1F1A6935B9381CBC54C071179DB21A3FB8F5AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:42.540{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6671B96FEBEB0887B42F9C5F109F668,SHA256=F5C0169B1B1503B6C50837EAF37CC17FF227A8FE2C31B2248232C861CC437670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:42.539{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-212MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:42.452{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C52B9B248FEE7F38C3997041F5CFD31,SHA256=1852542D98D393AE5BB3264A414C18F18F3AB7223CC9399925CB8BE5A3E23822,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.787{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.782{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.780{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.773{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.770{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.759{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.750{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.747{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.745{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.743{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.737{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.732{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.722{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.713{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.701{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.692{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.660{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.640{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000356196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.632{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F00B9CE35BE58980FFDDBB03D8E6F9,SHA256=2C64439C584DB4685C974D8B8704B0B72CB2850FA1899A51E01B015B2D6D13E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.628{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.619{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.604{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000236573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:43.529{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15B1B616B2F71E19B010C5B53D02759,SHA256=27319ECD60B879A25ABC865464B40BE66ED738592ADBFD2394B2E3A1A8D10086,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.557{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:43.554{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 354300x8000000000000000356190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:40.834{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59860-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:44.606{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA034B6A08B72520287557F14FD4501,SHA256=7840B4FB3F7FB691621A99AF79A3A75907A76E9E0EE6960A67EFE1313D74D57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:44.684{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244F398BF93499A232EC6952BA440506,SHA256=82836A2578B91525FE85679C1D241901977C6AE22997246C73A502C0084DF982,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:44.269{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:44.266{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000236589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.753{EFF5EEA8-7B65-6352-8A06-000000008C02}19083340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.691{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072B1F754CED977D97FAA737902AD024,SHA256=68C41674009D2B13CCCCBFBD3B54F35BA4571739B6ED484F715A8C81934274DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:45.728{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC99328FD9B3230ED342704B1064B347,SHA256=7F375A6742AD3E740A0E4C079CE383CD2720DBC03FCCA82B4D4CF063DB0D9170,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B65-6352-8A06-000000008C02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7B65-6352-8A06-000000008C02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.534{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B65-6352-8A06-000000008C02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:45.535{EFF5EEA8-7B65-6352-8A06-000000008C02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.864{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B69E11FDD4DEEFEEE16784198D1865,SHA256=E662785439B7F0E767FBCA1329468DD3E64735DD505A53A3B58D23BAD883FDEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.997{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.993{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.976{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.936{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.929{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.928{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.925{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.906{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.894{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.869{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.862{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.846{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.840{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.838{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.836{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.834{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.833{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000356224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.832{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B82F5EACE2159658480CDC8F8CBECC,SHA256=9FB8F68868B8BBE65FBC8F010EFC9537987BB1BA497FF872EDD2D57EAD16F028,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.830{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.830{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 354300x8000000000000000236619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:44.307{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52236-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000236618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B66-6352-8C06-000000008C02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7B66-6352-8C06-000000008C02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.652{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B66-6352-8C06-000000008C02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.653{EFF5EEA8-7B66-6352-8C06-000000008C02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.607{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00DDF067A090A18899A7B55131E9D0E4,SHA256=7CFB97E28B5C05F223E0D30BA90EA8A3E35B5F20A496AB13B60B917137B21F93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.554{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=39D8C18C56300F94E1419E56C478D5C4,SHA256=99BF962CEF2F2F6175083D9788BCB1FDF26B2FBD6456E4C8BCBDBACE7EC21002,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.190{EFF5EEA8-7B66-6352-8B06-000000008C02}32242748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B66-6352-8B06-000000008C02}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7B66-6352-8B06-000000008C02}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.034{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B66-6352-8B06-000000008C02}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:46.035{EFF5EEA8-7B66-6352-8B06-000000008C02}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000356221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.303{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.302{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.300{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000356283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.952{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC754F9DCD802027E19557076BD62C39,SHA256=EE5083676303BD17942CAE1530F7C1CE77696352B9F0E880686A608EE8F855D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.368{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D5BE0CE4B629B03514CD2EC1A33271,SHA256=BB11E20A9328A52C9577941B3C99E5FD7D9B1C41CD12EDE9986516DEC835EE96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.120{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.118{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.116{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.114{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.111{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.108{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.106{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.103{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.099{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.096{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000236646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7B67-6352-8E06-000000008C02}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B67-6352-8E06-000000008C02}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-7B67-6352-8E06-000000008C02}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000236634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.484{EFF5EEA8-7B67-6352-8D06-000000008C02}3612996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B67-6352-8D06-000000008C02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7B67-6352-8D06-000000008C02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B67-6352-8D06-000000008C02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.328{EFF5EEA8-7B67-6352-8D06-000000008C02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000356271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.093{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.091{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.088{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.085{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.083{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.080{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.077{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.075{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.072{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.070{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.067{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.064{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.061{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.057{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.054{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.050{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.049{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.047{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.045{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.044{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.040{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.039{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.038{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.037{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.015{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.011{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.007{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.006{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.004{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000356242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:47.001{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000356284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:48.968{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8552E263DB5C7D6666D9ED898F9033,SHA256=770B28D00EC6FD9C7CAF70BB340326CC6E12C8087A7FACFF480B7C54AF164268,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B68-6352-8F06-000000008C02}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7B68-6352-8F06-000000008C02}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.681{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B68-6352-8F06-000000008C02}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.682{EFF5EEA8-7B68-6352-8F06-000000008C02}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000236649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.197{EFF5EEA8-7B67-6352-8E06-000000008C02}804932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:48.150{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3834E43BFFB1989130129AB41FCC7464,SHA256=B0714C3768A7136093323C6A82A47C42054895A8D2730171609234B5A04CA484,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:47.994{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B67-6352-8E06-000000008C02}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.452{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4DECDB538F08D97912AF709C5C315109,SHA256=ABEB12909AFB9F2BDEE7FAB5FAA44E18B1A91D2F5AFBF35042A716A5A72F1D35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B69-6352-9006-000000008C02}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7B69-6352-9006-000000008C02}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.270{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B69-6352-9006-000000008C02}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.271{EFF5EEA8-7B69-6352-9006-000000008C02}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:49.230{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BDEA7C3C2204CA3D2A1D321DF20F2B,SHA256=AD7B4DA3F96C2C0E993173899FB2D8457EE4CC6CC6BFAAF4E4BB1CC435FA51F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:46.800{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59861-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:50.309{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55557C018443C4DFD5F6E4B4581C61DE,SHA256=DC6B69F401FA2D05990546A36DF1C635CDB5B0C13493490EE7EF187719031EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:50.083{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB64A821C60C67C6AA95F20DF6FB6DB,SHA256=971DB7B830AB46964A301FE4C614C1A81A0764A64E77FEE5B9C931876BD57C73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.971{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.969{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.967{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.964{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.961{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.959{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.958{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.957{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.955{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.953{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.949{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.938{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.935{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.934{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.928{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.926{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.915{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.902{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.895{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.889{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.880{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.856{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.850{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.841{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.832{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.826{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.818{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000236680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.812{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000236679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:51.386{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C72EED444E0E7EAD395283E99BFB13,SHA256=E08B2747A7596C8F080A4C4B94A07867461FDF8007B8742328C6718E335D6D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:51.152{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1757A371F5D0DB9C8732C465BFC71F67,SHA256=4BBF082CCE62767D82BFD210EE7BA2ED09BBC9CF2E53A0234FEF4D586D387F05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:50.263{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52237-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:52.595{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193CA577C5321DF09F7545DEFEBA7706,SHA256=E5D01D9FC001A929AE8F292A444962FC2CB415E9338FE5BA2453E6B1198CBC6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:52.199{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C330733D7EB68368EDE952288522668,SHA256=F271A3871E68377537739012A2DF87B74AE4D242743EC3A59330D3EA771F28EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:53.777{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B553C0359E944DBFD92B4ED53197C191,SHA256=FBEE39BDA85AD87943D588BAF4B079DFBDE2F8138AEDA197058C09EAA65AF8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:53.350{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418EE7E7BCA5ED1B69A78BCACC07691D,SHA256=89BBE8292749C2A1DB6A711074158366C4698D42512015D0054C0D38655C3455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:54.853{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC56C96FED577CA10C2AC1C1DE08DFEE,SHA256=8DC8693A6E74417C88F6D47A5F9402CA36A74F39395D5EE655A07AAA9E61FDB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:52.755{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59862-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:54.450{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9843E92CC9DDEFA32ED86EC702AF5E,SHA256=87AB35B6C0C6562914DF12F22AD104CC85EB2A0F541D3333B0F406B0E40CDE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:55.948{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC92705F1CCC36FCFB760E9FA3E41E7,SHA256=2976AB0E8EF2C7FBDA4DEB54EBCAB4D9A7E97FD24CC69401A9F26205C31B431A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:55.582{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06F6F7E5D7C389E2A8CBA785C376768,SHA256=7A793F9D65179CEAD15228A375DBEBF9B49E8441B2EBF54A059FB087DD248188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:56.701{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B852DF716C22E2E9FF07C91C6E085AE,SHA256=5E5581B1BF1216A525B8A19BC5AFD46328BD0563546E431905899C7964479673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:57.801{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A0B738275F7D9C50E204332103600D,SHA256=FDF543DEF4CBC1B446B5E08027A85C238252DB43F822EB191A8C1377AEA19DAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:55.415{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52238-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:57.040{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74E16A1456CAEB6D2046FAE206D8606,SHA256=48895A6E9C0BEADE30D9795CD43BCDD0C0EFBCB48AC3DF254000738737BC1683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:57.427{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=E1807CFC19AD71B12F675CCAC15E9469,SHA256=78CE258FCD587347F7744632349CBE65C528B12D7D9E07BF0FDEA24E0BEC65A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:58.838{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A8FA054C20175F70694630A4009128,SHA256=1D5B354E979971B050D7E43C03F7AD8F339DBA5572E292BF162985D06BBDCAF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:58.128{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD36D4A630F34026682019FBBC0A54B,SHA256=8EFD919BB3487D6551A940AAD87E9E6612F36B061CD9E4ACAA15B9AC001BA82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:59.876{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A0F1645203978052C87D96731353BB,SHA256=5601147BD470FB9E35FE01B6DDF746997465FC34244A5307FA7789FECD93CAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:59.213{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721C4BB9A630269BD9F5929DD12FB75A,SHA256=5A52443B1AD881DEB7439F00588F10EFC47BB3B502513FC02E912D75A24F94CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:00.927{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE7511B17F329801D82D2DA43B3F7A1,SHA256=624FFD7D25198998298606CA95E8D3C086FFD55920CECA4C338399C3B774BD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:00.298{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED8A19637DEF90332CDA8B9C1EAB2FA,SHA256=0B45A4187039F5E76683D1FCF50883FF6EF10DAA8FE907041DA326A493A1CF8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:58.697{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59863-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000356298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:58.163{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.205.25.54ec2-34-205-25-54.compute-1.amazonaws.com49737-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local3389ms-wbt-server 23542300x8000000000000000356302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:01.967{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B7D77BB4F59FBC7C11EDC867957A5F,SHA256=84DBFC83F06DB6FE5ABA75951E711C66A7677BCA6B2EECBC6650EE7FA5649FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:01.392{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759FBDA90E88BE6D5E44D14DA53D2BDB,SHA256=D030E7DE7A32C33618841FCCDD566D7FFCD49F6D235B33FDE7661674D225F2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:01.667{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=66BC969C53DC0AD5F2F567FEC74E270D,SHA256=85381CB9F8FAEDACD98920A01FA62AE62B95BEC0F25E155DD1CEB0044C9B3032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:02.484{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C632B451DC5626B7351AC4D3F4257884,SHA256=403152BF3F1D52472585D143C106AE3AA28920B09237A60F829715E48002BAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:03.580{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F023C05FA8F16C5E5ED3472CD2C3B7,SHA256=91540D0B009110CE802070FA8DBC9346AFD5A15780B1CFAF34A4E556E0D100E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.969{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5E90C5B10BA3FDBE61F69E61A6B10D20,SHA256=8BF70F6B8B95A112E95B823BFA4C0C0B0D82DB6A4285D064196155D8BD84B369,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.856{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.848{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.841{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.829{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.826{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.812{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.797{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.788{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.776{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.772{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.757{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.751{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.731{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.718{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.704{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.690{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.652{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.636{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.628{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.612{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.596{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.549{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.546{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000356304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.500{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54EE780EECAA86082BAB0F1702E3526F,SHA256=314B8F02D4DF15AAEBAEC6FF3B9374D595EC86A09538DADA9EDD0F85494A7E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.000{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25708DEE5D6D5E5006680E94A8F1CD4B,SHA256=6410DE2D716BEA23B9FFA916404EBB9D5E81FA63685C5B68BCAEEEDFB20FE6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:04.668{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E3B3B49FB07F919A983E267526BC6C,SHA256=C8400CBDC1653CAE66EED86DC34B095DF2F080F7755ABB3785AD128607F88F5E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000356341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:59:04.928{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000356340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:59:04.928{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00c7b231) 13241300x8000000000000000356339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:59:04.928{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e533-0xc0b793f2) 13241300x8000000000000000356338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:59:04.928{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e53c-0x227bfbf2) 13241300x8000000000000000356337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:59:04.928{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e544-0x844063f2) 13241300x8000000000000000356336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:59:04.928{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000356335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:59:04.928{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00c7b231) 13241300x8000000000000000356334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:59:04.928{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e533-0xc0b793f2) 13241300x8000000000000000356333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:59:04.928{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e53c-0x227bfbf2) 13241300x8000000000000000356332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:59:04.928{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e544-0x844063f2) 10341000x8000000000000000356331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:04.426{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:04.422{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000356329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:04.112{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8125935205D95928261F955CE197CFA5,SHA256=E3C69BC17E2412C1AC95DAAB077BE1D8D1429DD3FD745F91802229ACC64695CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:01.359{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52239-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:05.924{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1D1535585210DFBA86CA444BB77C7C79,SHA256=0F93872D74014B71873E6273D2C1D62CD120A91D1CDECBE8B9CA695EE162E532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:05.861{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2F92CBB2BEEBB59489617C6FE02F56,SHA256=7566BE1F1CBA1C0E25D83BB08A37A9C5BC4BDF8FE0D167F63D9EDA0A841F8D57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:03.808{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59864-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:05.205{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DE055F66C865F95854DC985ACCE7F6,SHA256=F8220E77555092C0B8EF9E34EED3C70860771B2C66290C350800502F4773210D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:06.952{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A10812969A443E2DC756BFD07BBC03,SHA256=3391875A4876E7544CE49C2601FCCCE3CE1F7549277879DF491ADD602E359221,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:06.998{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:06.996{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:06.994{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:06.991{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:06.991{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:06.487{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:06.486{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:06.484{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000356344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:06.252{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666021BE0F8A86DC6987041B80159012,SHA256=F5BE07B78389F8C19698AD01896FFC451F5C2C9C026C5B62D234059CB759E5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.425{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C14BB00051789F5668CB1C141AB21C,SHA256=5F1CF67352E27F3927F6A3811E36F54BF955118FE572423669C9E4CA0FE28908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.295{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.293{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.290{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.288{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.285{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.282{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.280{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.277{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.274{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.271{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.269{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.266{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.262{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.260{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.257{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.255{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.252{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.250{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.247{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.244{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.241{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.238{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.236{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.233{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.230{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.227{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.226{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.223{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.222{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.221{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.217{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.216{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.215{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.215{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.194{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.191{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.187{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.186{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.185{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.182{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.179{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.176{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.164{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.120{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.114{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.111{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.106{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.083{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.064{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.029{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.019{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.007{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.002{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:07.001{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000356409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:08.655{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CF92944AE6FC85D3F22AF7F22F8A8A8C,SHA256=CFD16FC9AB040BAE4B76EC3C9A297D875C76B9E6629694EB843145FF05E1090C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:08.368{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEC0681BC9A269CF33B17597DAF871D,SHA256=1FC33B0D1E7828766F481182D45697C7D0865EF30AE881A9189C5B31928BC0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:08.047{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31629393E45140B1B16CA86ACD7A3D82,SHA256=3BA73EA9F960778F8D2CEC8B7A1193E9150A4CC39E53ED38B939AF443A9861D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:09.484{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2272CD22A43D7633A0E233A1543C74,SHA256=7225C3BF304F5011E69F5FEF003F1BF677E1AB8A6724527E0F19ED716BA6F90F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:06.497{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52240-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:09.151{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AB5E1B1CE203EDEE6821A8BFBB9415,SHA256=01BA0689FA3667A96F895C487F8748FAD63FE8236D6003A8D8D5EA735524F3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:10.602{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A7E3B479E07E2C51BD5A5B2D4C421C,SHA256=00905F02AEC893CCE78450C967F54874ABB97969C8244D7F7842E88AFFF5198E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:10.235{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087B798AF272D8595589380FB250FDDC,SHA256=D299C4147EA16F65C944FAA00145726D59A11261163F2B93F16B3C68EB781632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:11.683{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC909733FB4FD6EEFE276C6337DA1C42,SHA256=5C87DD080D6F630791920CD33369EE06A133453681CD896FD20D759B02C50D6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:09.782{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59865-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000236761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.992{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.990{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.987{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.985{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.983{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.980{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.979{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.978{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.976{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.965{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.964{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.957{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.954{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.953{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.946{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.944{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.931{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.924{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.917{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.904{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.896{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.871{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.866{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.856{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.848{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.838{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.830{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000236733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.826{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000236732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:11.305{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30066725D7E81542936F92C6BD5D847A,SHA256=5C1D9FE5957F16344BF540A2916F0435C36B22BE0051AF546D4EB5A6B9A9FCF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:07.765{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-63640-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000356414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:12.827{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F92EFA445F0E1EE5FA3C917FC363F4,SHA256=322C805CC4C79D6AB0329F3354D9DB5524A74F26820DBE071B03772ED0FB173E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:12.827{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A0C273C10AC2B0CFECD2D76ED217C8,SHA256=3D12B9BC4ADAA930B5C90D04DA5142CEBD55846C9B73CD664CCC732526C3DE77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:13.882{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB992E663C2182CC9D41887035B63037,SHA256=1B4A2E7A8066F18C713367CE97F7692E7684DA6FB5985DE6942BCA8620D7F8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:13.853{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B947852401F9B3285737CBA7B77012EA,SHA256=5FD487B926A110EFFF959D813902BD3318D0785C40B6BE6DB2EABD8DB7E4698E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:14.969{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F146C0AAEF58C2B7139834F59D7BD1F2,SHA256=AF42120E21476F15DD613D997421A3F0298DA3B2D3A79099CB5E0833D235ADFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:14.878{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B48DDD1E4A41885E4A8574358EBDFE1,SHA256=92728AEAD8F5351DB1362188981FF6BE821A0B260C1023BC8C786C58CF4F5D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:14.625{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11016ED9112A29A80B01D67384CC697A,SHA256=5EBE21F71713568361ACBFCC0957C44BF2129A6D063A9393779F56F82B81CF16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:14.432{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:14.432{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:14.432{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:14.418{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000356417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:15.985{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9DF6E7842C8E886D1DA67243862A00,SHA256=F48A565B55131643F35B13956BD5B1FC037011066F2492E453355E87F63AA414,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:12.408{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52241-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:15.181{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=923C303D2313979A2E4AC94399B8198C,SHA256=91B27D5D1AE35CDFFD0898AF66DA52EAE815D89461320B8D246C2664168432CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:16.055{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D79FA4EFF0E5D58FB7B263218BEA421,SHA256=54D1EB2C5802EC5ED1EBD7CF025C540368E1966E9E11E2DA1329A16B8E8827BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:17.146{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D56DCDE774EA06F4515B5086798FE3B,SHA256=BB134688315A4384C8037F2F80973EC117440D82A2FAB43B30317F8519803C4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:15.783{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59866-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:17.028{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A169C312B10369769914885F21B53202,SHA256=CA35F486E0DF950C59526BEA41B97BD1B7FFE1F148CB419BD694384E281F1B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:18.242{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06BE98F348BC526AFD38BB06F345F1A,SHA256=A273133715FF9B39E327B0844D138198ECFAA6035E00DE7EA31B9F77C75733EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:18.071{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1575809CD07D2899CB0062F7A4993E,SHA256=4869362C426B0CBAD11EA141CB14E308DE3FD66081BBD75F44315948F4D77C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:19.714{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2609913A988CC8862E1CB3D25C554828,SHA256=A48915E0257634FA12E18526ECFE53EA4A0AF5F7C0C9925C7665318EDD6F6D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:19.326{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EA1D6FA29583ABD69DF66108494CD3,SHA256=0869D6FC10B449E1D930205EAF8F9DDBDFE6DBE3A71F7AD5645358780F877C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:19.103{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1FC00E49D2BE14726242EFB93B45BC,SHA256=AD49B13D4063B922D3CD42A1F033A9966B6C444C339D6BC11D16B9CD622C4F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:20.412{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18B8683832538DB93E022119BEEB1FE,SHA256=285428AEB07FBA001DA140F7C104A265474083250A7DFF8810CB27A7B1240E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:20.196{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F940EEFD38E29650932E5768C8D9740,SHA256=008F1EB963A47425DB069DCFBC3D7D711A0B7CE5C9A451B1FEF9EA664B0E0AD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:18.375{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52242-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:21.302{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442B3ABC2E65EF10F299734B9ED02764,SHA256=4FB025CC2AE4384632248EB0C94AD0EDF03C2E23BF9D3581BA10647E1DBC86BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:21.501{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE322CFB57AF26D1FF3507EA348208E,SHA256=95B51F0F4B8A8AD530894D8CC6F63CC14E8843338E89B7875E0961E067B3630E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:22.599{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B648E3D91C17B5FB0EAAF25B638D69C,SHA256=12E33F63E5FDB466F03E84F07B7158ABF1C68D3CFF92D67051F6F2B2D3D14DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:22.352{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B3A2DACC2DD8522AB8A993EA0AC24D,SHA256=3E6ECB0CBBBEFD43B5BAF2BCBEB57C423F0F82BF4F2262CFFF5977BF3061240B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:23.676{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2CF60E347486F618241B1A07416DF16,SHA256=F550839F70B79CEB7DFEC1965F12A2FA917FF37B57781581F7F1219CEC7F0E36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.846{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.843{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.840{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.833{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.831{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.824{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.817{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.814{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.811{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.809{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.799{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.793{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.773{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.760{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.746{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.725{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.687{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.670{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.663{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.651{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.639{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.563{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.560{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000356425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:23.369{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B980D7413F22F1BD16E377A613FA70,SHA256=8E088B6D48A7C71F70DEA61501EC55F2E236D20DEFBBBE926317883DF33D59C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:24.765{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D748931078644DA7ADCAE1491DF466,SHA256=9D78C5F640FE2A416D8A4E8E86A4FBE610684184DD7FB7D8C5465F928991B5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:24.412{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D1995975FEFF24F163A8DFA6AC96CF,SHA256=146B99D5DBAFFC318E39466A25875E578FAE290D54C7CDCBB18DBEBFF97A91FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:24.296{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:24.293{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 354300x8000000000000000356449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:21.785{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59867-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:25.849{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B217DD610DD08F361535285BDB940889,SHA256=6BACCFFACCC8D33230A6638BB415A4B507EE287912C42CDDAA3EFEF922A9E09D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:25.529{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525E3207779F1693E89F5C1C99529F7D,SHA256=D26B2E42EA45BC5F912EFF7769F209B45DDD23D9E6A228B79028B5F11E0EC95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:26.938{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF9DFCCA513B382D69BC038D161E133,SHA256=73BCA24EC8B2C51CA03FE399EC601CCE8BAB7A6CB07A3783D61588A73A8A05C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.959{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.946{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.938{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.934{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.913{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.899{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.863{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.857{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.849{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.842{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.840{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.836{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.834{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.833{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.831{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.830{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000356461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.669{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A757C7BDECFECC2B55532A3A36ED9E,SHA256=6AD19B1F619BCFCBE43C097330085875B870B808007CDC0C3AF62959213719EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.307{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.306{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.304{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.040{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.040{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.039{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:26.022{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.954{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B8F-6352-C607-000000008B02}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.954{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.954{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.954{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.954{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.954{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B8F-6352-C607-000000008B02}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.954{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B8F-6352-C607-000000008B02}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.956{30B46F62-7B8F-6352-C607-000000008B02}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000356522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.770{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A368CA85611BADD7A56FF223A24E0E3,SHA256=5B1DDB71FBFE5B2DBC0FB22D0B528454DB88BD501EEF27EC8765AEA21D7E2129,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:24.278{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52243-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.329{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DFA0634F6D9716C17C11C26A190BC4,SHA256=CBE4E6EC231332228342FBB0C72EBD717E68AB32F6A5B2524C7863076B9397D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.181{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.177{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.174{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.170{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.168{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.165{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.162{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.159{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.157{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.154{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.151{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.149{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.146{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.144{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.140{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.138{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.135{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.133{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.130{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.127{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.124{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.121{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.118{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.115{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.112{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.109{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.108{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.106{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.105{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.104{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.100{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.099{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.098{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.098{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.067{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.064{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.057{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.054{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.052{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.045{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.038{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.036{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000356478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.019{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000356541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:28.856{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EEB7DADCF494AADFF1E7961B328AF2,SHA256=BC856A81D80655DADAAA528512393A4DA102BB58188678B2CC8518083D0BB0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:28.045{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0CE380F719FF6F0BBC939677F7A305,SHA256=C0EDAF5B25E67D77DCA4147EC99DE1B521110D6F6798F001F796C70AAB52B2A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:28.671{30B46F62-7B90-6352-C707-000000008B02}77889444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000356539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:59:28.671{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e53c-0x30c92994) 10341000x8000000000000000356538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:28.454{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B90-6352-C707-000000008B02}7788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:28.454{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:28.454{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:28.454{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:28.454{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:28.454{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B90-6352-C707-000000008B02}7788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:28.454{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B90-6352-C707-000000008B02}7788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:28.455{30B46F62-7B90-6352-C707-000000008B02}7788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000356554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:28.259{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local123ntpfalse40.119.6.228-123ntp 354300x8000000000000000356553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:27.699{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59868-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:29.873{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B2A46C34AB7FE2317AA8E97493E11C,SHA256=B2B6603E8968F37AF9BD727AB2315F9C234015682B4F506F3404FDDB3BC9444D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:29.142{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45604D8B0F2741795C7262DC14A23908,SHA256=1D59731DB737E9073176511FDE1C8E315DC4A63DD482C2044487AA8C196C3F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:29.288{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8FDD6F91108A24F64C4877BE248A2CB3,SHA256=FAE49FBBB9730F6711A4964D63DFCC3A6AF6CFB222F03EB7436463C1C898DB72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:29.071{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B91-6352-C807-000000008B02}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:29.071{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:29.071{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:29.071{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:29.071{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:29.071{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B91-6352-C807-000000008B02}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000356544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:29.071{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB965B1A22947A7AAAB685B0267BECE4,SHA256=5C72F934E9F9F694B8BFB41AF61FC6566C44CBD38A84EA79DA013CAA6F12ECD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:29.071{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B91-6352-C807-000000008B02}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:29.073{30B46F62-7B91-6352-C807-000000008B02}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000356556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:30.915{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C1DF068281C797D7ABF947F14F7241,SHA256=E3C29B11ADB91C88F57E127FA65B087C33E4051C94B575C8E175D93A10D43715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:30.896{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=935708C7035A323BDD2DDA5B16D23B6B,SHA256=E1787B21339F8A44E842166DCA16DA32B482A9570816E870764989601A55C094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:30.237{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4447298B11A7D88E48204CD3CE5ACFD,SHA256=1C53C19647EAABFEE8432DD6B3B8D4BC8BE5D1058FB1B0A817A2C559A0C1B5A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:31.955{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36532363967C8B717D3DCBCB5DB97E35,SHA256=F6444C322F8AC657F2B7E0E23EB21292C30F7447ACF2FCC6E03B23BCBF8F76D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.990{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.987{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.986{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.978{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.976{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.962{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.954{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.944{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.936{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.926{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.912{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.884{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.872{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.858{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.849{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.841{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.832{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.830{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 354300x8000000000000000236791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:29.389{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52244-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.307{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-212MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:31.306{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F25FE6D61B501BDD1BD89CF3151BB3,SHA256=BE0CFE35A7704019C2B409710285A44A298AB5B54CB8745119D4CF3D0069116B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:31.614{30B46F62-7B93-6352-C907-000000008B02}55089280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:31.407{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B93-6352-C907-000000008B02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:31.404{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:31.404{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:31.404{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:31.404{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:31.404{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B93-6352-C907-000000008B02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:31.404{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B93-6352-C907-000000008B02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:31.403{30B46F62-7B93-6352-C907-000000008B02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000356568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:32.970{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0531463CA13CE851452FB60DECCB0063,SHA256=05779ECB4A232F326F153D4946C43EB3CBB66C96E0CF513E288882299285E41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.949{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.687{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBC0E155FD5DFE00A431571ED0B5358,SHA256=F348AAFA276FB8D00E0A425DB592C1133D1D4F2BE5305D8E2AE487BDD0FB3131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.312{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-213MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:32.930{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.025{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.022{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.019{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.016{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.015{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.012{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.011{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.010{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.008{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.005{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.001{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000236824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:33.444{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC52B8C30DCB5662B1C892003CFD5C7,SHA256=FBFCE0235DA165F0CD24E624947931111562850C20C95F93C733840DEBFAFDBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:33.910{30B46F62-7B95-6352-CA07-000000008B02}101008488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:33.654{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B95-6352-CA07-000000008B02}10100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:33.654{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B95-6352-CA07-000000008B02}10100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:33.654{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:33.654{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:33.654{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:33.654{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:33.654{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B95-6352-CA07-000000008B02}10100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:33.655{30B46F62-7B95-6352-CA07-000000008B02}10100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:34.518{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACF121A743CF199379AB1EA2B279509,SHA256=8796D588F9DD51A3847B3F95D2240BCA6CF6E6078850F1C33206F38C222CC105,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.807{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B96-6352-CC07-000000008B02}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.805{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.805{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.805{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.805{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.804{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B96-6352-CC07-000000008B02}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.804{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B96-6352-CC07-000000008B02}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.803{30B46F62-7B96-6352-CC07-000000008B02}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000356595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.730{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8403F1A6F993BC8411BCA044B6030E5F,SHA256=DFA94FD2934EE9B39BF2A1B95C9E89CD084EAB2878724A2D69700DCEA082A57E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.492{30B46F62-7B96-6352-CB07-000000008B02}96529656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.393{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B96-6352-CB07-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000356592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.393{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B96-6352-CB07-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000356591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.393{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B96-6352-CB07-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000356590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.393{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B96-6352-CB07-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000356589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.393{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B96-6352-CB07-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000356588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.392{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B96-6352-CB07-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000356587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.207{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B96-6352-CB07-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.204{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.204{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.204{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.203{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7B96-6352-CB07-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.204{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.203{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B96-6352-CB07-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.202{30B46F62-7B96-6352-CB07-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000356579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:32.540{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59869-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000356578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:34.007{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283A67B52B5A0855C4898DC095F42690,SHA256=C3D7C7DD4DA877D781BD1828AB856718F3EF90E8EA40B78662F2273C1274AA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:35.608{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA36EDE83426435C751B56C0D0A13FD1,SHA256=2117D90602757C55402DDBB59B9D591EC946A1ED37039908ACE0F0A446BF7CAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:32.685{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59870-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:35.112{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228C48E505E17315B74A1D97D2FD723D,SHA256=87E7E6B4EBED3817D2C902054504B88673B69F1AB470411C3610F810B11F9655,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:32.181{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52245-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000236828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:36.690{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE986324BE056B946605A4C39CE403B,SHA256=D1E47AC46A51979EA59242E3882E4D89F78BB546932B136572E4EA56D1508CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:36.239{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E914CFD7731554F2B08BD0C4CEA00A,SHA256=ABD3D6C8F608FE829FAEA6E3C52323270CF655650A7F5148E516553FF09BEBF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:33.232{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59871-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000356606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:33.232{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59871-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000236830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:37.777{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4B19B6247179FD8902D70C084B40A6,SHA256=98225FB32CDF991EF9FD0DFFD75EEDE9E86F343522333508001245B73499863E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:37.241{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6207467E198B9E293C5DC74792DEEFC,SHA256=A0A49F69A1B9FEBC65B0A58DC2D7AE03E9BE102879170F9CA85FF2D42ACBC591,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:34.500{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52246-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:38.853{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD69F3A10058EFD8240B138AB67FBEB,SHA256=87355DCF2D524FD3F0EEABBFEE92363BC3F61B45DD2F8FBDF8CF73F21FA1BC84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:38.272{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDFCFAB0B735937EF5D4BD1C9F63A72,SHA256=0E65AB08CA64748C99CF3D4C50CA906881D3E7501732883B4DF145FE61733973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:39.938{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C002429D4E1ADDF5F4B623B8AD6730,SHA256=D2A3ADF122F8C65A0916BAED6F4E50AAE8C1D94A49EF8C648929875CEFE69990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:39.406{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9491F940BC0BC5A64FABB0E5A83282,SHA256=EAFB753FD3EC171CAC22EE3CA60D33D75B8CF280EE8A743FCEE087A2A5AC1A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:40.506{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561903B782A1B3078CC14BCB19A565A3,SHA256=8D6EC64492EA0BA6D62D13733D17C0D312F8C62A87EF4B6A4793A1119572D33A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:37.887{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59872-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:41.658{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A9BC7149F962A57512FFB39580F279,SHA256=09B299F255A8B0FDA9F60340B6C326FE12A0D0CB86E33F68AED2FFBE7158CE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:41.037{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009CEBB9D6585EF631B77205031170D7,SHA256=804FAAE348A27647B3369D8AB99221D17F8871203AAFD379A39A56B05BEB0E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:42.789{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD54045F0523EBECCE27204F431C8D7,SHA256=6F699771A6ADD379BEDB6F0A450C1ED6278360B4312165F4E2633BF109DF6C99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:40.461{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52247-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:42.131{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F893779E0F5A3A566A6984F6AEB2AE1,SHA256=396BB0EC41A9E18A592BB09DCD9C75DCE0A54D7926553A2FC1D47E728E388A39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.886{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.875{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.869{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000356637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.857{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A600CB6A1E26F8163D18D8427405F280,SHA256=F96FC0A1DDECFD100C0A63EA7957CD73BF48FFDA4C6EDE390D63D765105D38B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.854{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.852{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.837{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.828{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.824{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.821{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.819{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.812{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.806{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000236836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:43.207{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11C5F89E3CC4FC6631167B9C93ED807,SHA256=558B84DAEF667301EFAAD44748DFD819467D594240419C4D9769150A63EC5C58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.788{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.779{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.769{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.757{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.710{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.692{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.677{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.659{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.634{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.565{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.559{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000356616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.061{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-212MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:44.893{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A1CB20A02F9AF036BF7E9197AA4DD1,SHA256=5BF8819C9E77C944A365E16D35CA362BA3B7809A4773F134F3E657A83B426481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:44.300{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B26D229A839E1735970D9EC9C5AD0A,SHA256=2556432DB2C8F69B6AE8309B6E02141EB88A04618AAF354B9EC9C625AC57A09A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:44.317{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:44.313{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000356641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:44.059{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-213MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:45.961{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691406584FB96A30CE82DDD84778BCF6,SHA256=162DF9E21825E65D7281C96742EA3A9C1B1D4C41CBB6F940EC5B3C01EF3DE966,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.743{EFF5EEA8-7BA1-6352-9106-000000008C02}3268800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BA1-6352-9106-000000008C02}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7BA1-6352-9106-000000008C02}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.540{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BA1-6352-9106-000000008C02}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.541{EFF5EEA8-7BA1-6352-9106-000000008C02}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:45.384{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CBF982BF293D32EE6B370D1B26FE7E,SHA256=0B6874EE6A421E442753C540E6D29ABEE89C1399BEB838538D6130C368E8EC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:45.661{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=C0A76B73E390774917381629197B45FE,SHA256=EC45FB20ED606909F83F7A0C5F1A4ED3698D3ABD144BB9B009C1B2B31DC1E53C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.973{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 354300x8000000000000000236882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:44.805{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-49436-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 10341000x8000000000000000236881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BA2-6352-9306-000000008C02}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7BA2-6352-9306-000000008C02}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BA2-6352-9306-000000008C02}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.777{EFF5EEA8-7BA2-6352-9306-000000008C02}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC8851511AEC211E248C75CACFD3A21,SHA256=6D5C5D4D7780ECEE8CCEFE7E1A1768C90BD8F4ABE8331D7E1FEF1283F3B64ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFAB321D28F9C515A69988A09DEC509D,SHA256=2BDFB2355A07C9CF240AF8EA37E8305C4DD647BD1F7D96D5B56FC4610F63325E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.774{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D1A03A3678C6F121A935990A94D800EF,SHA256=1E769247C2C3B9A6DDD9C7E9FB450E27D02C835A29305FF0B2181EFF150435D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.963{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.958{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.955{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.936{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.923{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.891{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.883{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.873{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.868{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.867{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.864{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.862{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.861{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.859{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.858{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.342{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.341{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.339{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 354300x8000000000000000356650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:43.814{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59873-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000356649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.062{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000356648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.062{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000356647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:46.062{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFc852d6.TMPMD5=A4670CABC14D7551C56556724DDE58F1,SHA256=5AA750D72DC98C3B2F0FD3674D91BD9CF2CE599A23918CA948117F1E8D66A72C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BA2-6352-9206-000000008C02}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7BA2-6352-9206-000000008C02}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.212{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BA2-6352-9206-000000008C02}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.213{EFF5EEA8-7BA2-6352-9206-000000008C02}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.928{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09A941D6985EB312D6B8E682391E1B9,SHA256=558A10EC3A5801EE7BFFCADE1776457A657DEC42B856B872A30AEB4B434448EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.159{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.157{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.155{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.153{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.150{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.148{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.145{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.142{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.139{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.137{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.134{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.131{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.129{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.126{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.124{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.121{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.118{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.116{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.113{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.110{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.107{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.102{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.097{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.094{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.091{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.088{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.087{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.085{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.084{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.083{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.079{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.079{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.078{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.077{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.058{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.054{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.047{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.046{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.045{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.042{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.037{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000356672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.035{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000356671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.023{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD814F96BD6C2E76984C653BA5E8A56,SHA256=C9623CF48E8117A51FE544450655D58E952C39E5B5893FC4B9F901A4D1E7B9FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:47.019{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000236902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.607{EFF5EEA8-7BA3-6352-9406-000000008C02}31042640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.570{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA3-6352-9406-000000008C02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.570{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA3-6352-9406-000000008C02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.569{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA3-6352-9406-000000008C02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.569{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA3-6352-9406-000000008C02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.569{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA3-6352-9406-000000008C02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.569{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA3-6352-9406-000000008C02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BA3-6352-9406-000000008C02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7BA3-6352-9406-000000008C02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.440{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BA3-6352-9406-000000008C02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:47.441{EFF5EEA8-7BA3-6352-9406-000000008C02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000236931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.934{EFF5EEA8-7BA4-6352-9606-000000008C02}29843264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000356714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:48.543{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87442421B8CBA7244D3F233E84EF0464,SHA256=BF85CD9EBD0E5248C87904B5D573E5DD0626FDD6E4B50AD9826DFF7F39FD7500,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BA4-6352-9606-000000008C02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7BA4-6352-9606-000000008C02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.778{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BA4-6352-9606-000000008C02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.779{EFF5EEA8-7BA4-6352-9606-000000008C02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000236917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.266{EFF5EEA8-7BA4-6352-9506-000000008C02}23641624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BA4-6352-9506-000000008C02}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7BA4-6352-9506-000000008C02}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.116{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BA4-6352-9506-000000008C02}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:48.117{EFF5EEA8-7BA4-6352-9506-000000008C02}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000356715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:49.569{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14F8FE7230AC13DDFD685D7B51EA48A,SHA256=1DE5B6D3BAA4150BC2ACA9051DB78B576E5895321B79FAECC413A0A22D0C57E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.901{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0BFDB773BE88ACC4347CFBC92190A7F7,SHA256=419012A512B5726B70B1BF9EC9A00B61D9E0BDDB697731250D867646E91ED017,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:46.350{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52248-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000236951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.592{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA5-6352-9706-000000008C02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.592{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA5-6352-9706-000000008C02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.591{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA5-6352-9706-000000008C02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.591{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA5-6352-9706-000000008C02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.591{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA5-6352-9706-000000008C02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.591{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BA5-6352-9706-000000008C02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BA5-6352-9706-000000008C02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7BA5-6352-9706-000000008C02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.454{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BA5-6352-9706-000000008C02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.455{EFF5EEA8-7BA5-6352-9706-000000008C02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.044{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE94FF5E3FD95099A1F8569453369ADB,SHA256=443E44AB2473E27AA1610F71ABAB6AF8196F76035915DE60AACB01DDF91B41AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:50.620{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550A8B6BAF07836DBFF0DF8907C6CA64,SHA256=0C421F42ECA4CA84C6CE494F8C04583BB50BF1CFB3FE6951997D27060F6747B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:49.995{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0F84D38353698C736ACB21451DAA21,SHA256=754460DCEC9DC163450EB7E9F9D8CE025641A6E19FC8C26F57D04AE1F8808052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:51.705{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B197633AE7A637019CFC99A0ED7C0C9,SHA256=CA7CC976AE7D13F69E530829E2D2BC5FC487D073EA6EFFA384167D184B7DC6DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.998{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.994{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.973{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.958{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.950{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.947{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.926{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.920{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.870{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.863{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.841{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.829{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.817{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.814{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000236955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:51.081{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9842D75FA5DC51F495E6E37E9FAF3C21,SHA256=B6C2997704E9E3352C31C637D0AAB0E54E5B3235D7341C5A20B7D21982423D77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:48.830{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59874-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:52.776{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E7ADB6E5BAE268C375BB1D72461B57,SHA256=EE06DBA0856A9F2117763F31DDD8AA6796741AEE1251A5529626C0228E8840A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:52.367{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9BEF7B4BF98974F66453C9E356E026,SHA256=38950A7BCF073B9115CEEE7ECC72320EAA5714AF0EF14CF7A698D7C526C1A19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:52.022{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:52.018{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:52.015{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:52.011{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:52.011{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:52.007{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:52.006{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:52.005{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:52.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000356720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:53.856{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4DECD6BBEF5CE97C38313D18FE2C83,SHA256=B4F12275DCABCDF88F1989C5195736AD86241C63A3A15C3AFEE90B4A0306050E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:53.442{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982200314C27BC4D5C1500CB83518245,SHA256=A76353D26B52078FA33161D1145B3D6E89958F3132BE379421EB9084C6EF8D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:54.965{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B794BD1E62FD538CD32664E2D743A0,SHA256=C082B959EF7873DE5B37EE20F3C3DFC3BFED674F13E75B3C64D4083DD19D38FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:54.938{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=414F59B936FBF5BBD3F564F044FBCDA7,SHA256=6AD903C638AEC199781FE630357A82EC7B525FBE4983E39FE1BC037590D3C65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:54.539{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2C7CCD509ACFEEC2445AA40D1FFF2F,SHA256=02999E0B742C0967293F66602E35F3E504766FFE489FA69337B79851B471C87B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:55.984{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DF0F6ED68A14A6345D6E8CA392E3A1,SHA256=E1DB7440CD042A9DB51EAEBCC3CF15773E420F92E5C21CF13D1C38AA9B086774,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:52.336{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52249-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:55.638{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A1B3971DF6476CF063E5F0E4004638,SHA256=0B30E005190A3E992FCAEE10683EEF2564D7CAA2A0030B0C70EE498486DCFC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:55.167{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C307D7F6BFE293DC3DE6DEDCA4F40A8D,SHA256=CCECD103016A63996D7931D4FB12A76FEAD3CEE94079ABB62122727394EDB1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:56.712{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2023040596D7C701FD205E973F0D0E63,SHA256=A33E1E68260965B40E9C0CE0FBEC7B0979496E30EE0B2679BB4E2AA9AE7991F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:57.796{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4E111E0723EFA357107277F46833E1,SHA256=878204108220A907CA3DDAB50494D39025FAF34093AFF762A2E3AA0ACA23C0BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:54.812{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59875-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:57.033{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764CD210BAA8CA21353029DFCD11AEDC,SHA256=5E7E4B6DD9D8A857AEB8AC064B532983E12498DEE28A5248F4848947D3EA272D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:58.868{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548E882F0F79691270D529D0495C3F95,SHA256=0E3C033A448E42DA58071B56C18854FBE4B4CD1EF70A19CC6A65CE7299CD3CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:58.086{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52950146BF87E32258560E3F759D4F5E,SHA256=AF12848ED1BEA7628E8702CDD97BAF63713444B1266F6AABA2122F854946D7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:59.965{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F418C71C08575C34B1D5DC024916CF,SHA256=A40973809D45D59D7C830957EFE503A423F927503D20AFBEC812DDB9B14BDBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:59:59.138{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC0D5412278FE647A1BE41EDDAD1835,SHA256=91BB013ED496F2E9BB0860853F2F3D0CD6B28EE50F8A9FD24F9226AB7A72384F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:59:57.497{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52250-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:00.994{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=46604903174C46EDBFC4E0A8B8F4549D,SHA256=BA872CAA2D7AC0F8E1E654541CA3CE7C41B7C6A6B6440F0F743CCF6A9E18B2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:00.167{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD21D8DC5C9553C5A956510D7D57F78C,SHA256=8F9A1C39D2E71904153E187366BCF5FFFCBB8609978232B495F280773160E053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:01.043{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2537624081C18B84CF8555D52EC3C0A6,SHA256=D0A1D9799BD65F9803DE3717E2829452EF43059F8382738F856A7C59AFD2B4AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:01.227{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6905CC001AEFC149ECF51918E03572B6,SHA256=FBDBB2E9BE7894D4C6D4F3C7C4E30A4F80240C8517554E91D5B14B7CB1B93714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:02.143{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4BC8265C53DF6A290CB3E5EAFC670E,SHA256=0EB5FF027EDC9A55A04E27F4FB2E3897B4259134CF694177318AAFB39B248FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:02.372{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CA4467F12B02136B5C98753479DFFE,SHA256=5D4FE5F18B7785008B58846062FD5BD9B6842BE49F062DDE1DB283297197AC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:03.242{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAA2863189AAD51C4443A5413E88D56,SHA256=7916FA1971E7FD7CEAC3C6D5FA552EC561F6FD6119E639B9D7D1AAD6010902EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.969{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D49A309B61B292E26E9ED5811BFB24E0,SHA256=0B90439EFDB3EB24904A76A53EDA8CEB7AD8D17E9760E3153F1C183A6E89765B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.919{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.911{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.903{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.895{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.892{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.880{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.872{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.868{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.865{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.860{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.848{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.837{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.824{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.806{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.794{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.779{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.729{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.700{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.688{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.669{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.647{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.539{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.535{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000356732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:03.430{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7341ACAD109945C6EDC1EF56F76AE76,SHA256=8C90FE783D3295F53F8E460789E5BEF709D2398D6764C85D99D46AEC7FD29692,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:00.801{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59876-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000356759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:04.457{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000356758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:04.453{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6A352C16E7B89546C648E1D66E2494,SHA256=7682F864ABBB42242F95C3917F1563DCBB549D6DF8186575457780AB48A48D67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:04.453{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000237000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:04.328{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608A811BDDEB6D8C4660E6A4C514E9A8,SHA256=8C95CA0029A9A82EC45979AB0C319DD14EB6173F85D179DF3116773780CCEB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:05.524{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E7D75A7EFDC6397C1F0992BE2F6DD1,SHA256=34C2545FCB54555E14936DE4CE717274873CB96DDB902A61796891A0724312C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:05.936{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D5B64EB290798CC7D4B5856CA087D670,SHA256=BE12BE882C3D8E97CB02F50C98987B66B4728A51C16633ACEF8C23537DB31837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:05.405{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C023EF25A0CFEAC1048E928B99A2F49,SHA256=2C32B8314780B00709DA554C414DD80210CDEE922C623B64F45F4490266A674D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:06.494{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F82392CC0AA7AAFFED52455965D6996,SHA256=776C748BD05F0B0D8917F347E2EEEB794964C4512991514D525C269B574A41E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:06.613{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C76F3A067F4579926C52FCD4E772060,SHA256=236376278DFFB47B9B6497E67215FD82A817817DADAA795A314D13CEB39F1113,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:06.528{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:06.527{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:06.524{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 354300x8000000000000000237003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:03.427{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52251-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.711{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720A9564EC7ABEA8C26F0A148FABAAE3,SHA256=9BEC5633BC70560299F47F8CCDFC861A8E7F47B37713DAB01F1E8BBBD64F28DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:07.589{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B09E4AF2E38626DFDDA4BEAC88AC5CA,SHA256=660109888F529FCFC3C411868BED9CAD2C618E599BD3E22114092561F6B8D03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.411{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95127C46A081F33FB0513415D58F6AD9,SHA256=127DB343B24BA90E54C2AD9D49714776B2F0E4D36C268A5936DB0E7840F078F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.345{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.343{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.339{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.337{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.331{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.328{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.326{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.323{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.320{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.317{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.314{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.312{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.310{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.307{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.304{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.302{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.299{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.296{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.288{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.287{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.283{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.280{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.277{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.275{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.271{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.268{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.267{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.265{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.264{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.263{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.257{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.256{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.255{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.255{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.235{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.231{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.227{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.226{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.224{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.221{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.218{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.215{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.204{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.154{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.146{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.144{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.138{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.118{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.108{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.087{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.081{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.069{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.061{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.058{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.055{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.052{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.048{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.045{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000356765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:07.044{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000356827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:08.746{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C659DA7EFA9C137934876001C3A1E2,SHA256=E46C490EF676EB3F7E6ABD85E24C66D90CD954AF956EE48D54083F1117E13153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:08.779{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879904B00604C56626A00D82BD881F8D,SHA256=ABACA3C7EFCDB2A53624ED196FE8DD4517094DB39ACDDB880D6F00C8CACF6C18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:06.767{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59877-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:09.814{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37016B8AEB9C59E7225745A383F499B6,SHA256=302528348A22FCAE310C214E85A48366FC71B7608A7278D8269EF8BA89CDA1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:09.861{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D608F7C304F344D2C5D0F82E71D2DC0B,SHA256=C1E6FFA9413F9EE62EA78AD97D2F70D38024800BE4739C0BAF92D5490AB073C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:10.849{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B22FFE618F493FBD9CCAB4A9465384,SHA256=2B7123433856203DF3D2175D213F267CBD90BABCC77AB845E7BC3B9C12B39F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:10.935{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5830D2BF04D47241BAE199A6C7DAE00C,SHA256=950B334A934F244D607E2004B86DA7F9F1BA0BDC623018F29D704E06A1081038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.993{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.982{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.970{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.957{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.939{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000356830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:11.995{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3105B4A726528B25BA74B742011D7D,SHA256=17A248C104D09E544C0CEBB228492632CF8CA97B54D13140C22C9F14144D02AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.928{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.893{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.873{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.861{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.847{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.841{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:11.839{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 354300x8000000000000000237009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:08.447{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52252-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.989{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53E7B746C2ADFD7804543B13BAD005B,SHA256=1F5144C475FFB8CD364CB3B82FF7815132452F966855036657F21EC44C85AA38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.096{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.093{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.089{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.086{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.085{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.082{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.081{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.078{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.074{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.069{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.065{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.048{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.044{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.040{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.029{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.027{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000237023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:12.010{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552B6224F01884FBD0D5C9F9B7AE9393,SHA256=518E088376224CAFD79DC19CDC71BAC9E781BAC68E2745BC08CDD40255EB6820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:13.037{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFABAA352F7AD4B18851110FD37C7EA,SHA256=C3072BA4542E37629D76BBB4A28B8CB0F2634FB7B31CED3311B9208E7C9C854D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:14.438{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:14.438{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:14.438{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:14.419{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:14.054{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C42DA6BB1B838FF149FD91528769FC9,SHA256=F4D82E77B16FDA8267691D2BEF39B7FC0A9B60C83C57034874532E5C35C7CF7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:12.828{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59878-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:14.099{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F2A24F8151686A7D334744D84BC99D,SHA256=96F4DB12F27B335E4D8981A950F33D13676034393AB9CA523926CD87BC1F4BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:15.124{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA720F21283C3A8D6C359F9F5177C26,SHA256=6121402BEFCC8E193BA0FFB21BCF1C861784D9C535D40A88E15A5EA8D3A70A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:15.942{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RFc8c798.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:15.125{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C221DA209428A13C7FB0FF5B2047D6,SHA256=A011449CB3DCAA5B87F2ED71DF01E49F8FF8D06CDD813CB8FDAE7E4027947475,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:14.309{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52253-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:16.201{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946AC3817B2943F6AE30DC5839EC5C70,SHA256=DAE6B67EACE584ED075B92FE9B7EEADC8EBA24263B4CCF2B200EF7361917E126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:16.158{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5529DFA68E6E1F36F5EF08D9C5C92693,SHA256=D5C0F306F0AEA39FFCF41E51BFE2B0CAAD79328FAB3FDDA7A8150A6B34249284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:17.244{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A6CB8B7B20A9FD3788B7C5AC001639,SHA256=BA49CA241222C29AD29B12A2FF88993D9E7A46D6E8A85027195F86696E4AC8A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:17.277{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A1DC29DEE608CF1634BCBF77DF42DF,SHA256=F7E3525515D77621B8540D9954B275FAA7B3C7CD5B3CA30BCFBFE583BE8E2D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:18.306{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90787D9A49AEEE75D34D2315F148ACD4,SHA256=A43B873CE8C058EC6A3ADD6ACCDE1B4EF1C43218E0619F3735F27BA279D668EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:18.353{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B892AA556029152FC4B5616967EC39,SHA256=F28A444D4B42CDB7897BA07F047C661934393843A5273EC30B11709D9D89332C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.777{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB100635)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000356910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.775{30B46F62-4AFB-6352-2901-000000008B02}49285336䁌�ǘindows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb771|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\System32\shell32.dll+ba960|C:\Windows\System32\shell32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+9e39f4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+c43ebe|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+b1211f|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64) 10341000x8000000000000000356909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.775{30B46F62-4AFB-6352-2901-000000008B02}49285336䁌�ǘindows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb6ed|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\System32\shell32.dll+ba960|C:\Windows\System32\shell32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+9e39f4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+c43ebe|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+b1211f|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64) 10341000x8000000000000000356908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.775{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\System32\shell32.dll+ba960|C:\Windows\System32\shell32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4 10341000x8000000000000000356907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.775{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\System32\shell32.dll+ba960|C:\Windows\System32\shell32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\comdlg32.dll+13ae4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+9e39f4 23542300x8000000000000000356906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.737{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DD837FC6A6336166387F252B4F2C5A,SHA256=FE2C4036C7C7B6179D290416E301BB7DC4C4E2DB39D9709636208BA8DB822C03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.494{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB100635)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000356904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.494{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB100635)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000356903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.494{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB100635)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000356902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.494{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB100635)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000356901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.494{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB100635)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000356900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.494{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB100635)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000356899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.494{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb771|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.494{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb6ed|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.494{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.492{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000356895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.464{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb771|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 23542300x8000000000000000237052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:19.431{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF745A3C0BC05E264612F53D08AD0FA,SHA256=0E895DA391DBB73A3F05318EE910D8D547702D49AF75938C558711AE747C0B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.464{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb6ed|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.464{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.464{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000356891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.464{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb771|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.464{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb6ed|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000356887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb771|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb6ed|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000356883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb771|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb6ed|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000356879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb771|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb6ed|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.449{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000356875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.433{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB100635)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000356874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.433{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb771|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.433{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb6ed|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.433{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000356871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.433{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000356870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.433{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB100635)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000356869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.433{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB100635)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000356868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.417{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb771|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+1400b3|C:\Windows\System32\shell32.dll+13f654|C:\Windows\System32\shell32.dll+13f3d3|C:\Windows\System32\shell32.dll+13f44f|C:\Windows\System32\shell32.dll+13f21a|C:\Windows\System32\comdlg32.dll+10e08 10341000x8000000000000000356867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.417{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb6ed|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+1400b3|C:\Windows\System32\shell32.dll+13f654|C:\Windows\System32\shell32.dll+13f3d3|C:\Windows\System32\shell32.dll+13f44f|C:\Windows\System32\shell32.dll+13f21a|C:\Windows\System32\comdlg32.dll+10e08 10341000x8000000000000000356866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.417{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+1400b3|C:\Windows\System32\shell32.dll+13f654 10341000x8000000000000000356865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.417{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\comdlg32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\shell32.dll+1400b3|C:\Windows\System32\shell32.dll+13f654|C:\Windows\System32\shell32.dll+13f3d3 10341000x8000000000000000356864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.409{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb771|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\shell32.dll+6cf83|C:\Windows\System32\shell32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x8000000000000000356863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.409{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\shell32.dll+bb6ed|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\shell32.dll+6cf83|C:\Windows\System32\shell32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x8000000000000000356862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.409{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\shell32.dll+6cf83|C:\Windows\System32\shell32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x8000000000000000356861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.409{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+bb6d1|C:\Windows\System32\shell32.dll+ba2e3|C:\Windows\System32\shell32.dll+ba214|C:\Windows\System32\shell32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\shell32.dll+6cf83|C:\Windows\System32\shell32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 23542300x8000000000000000356860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.364{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67CEC2CB230B10F260E90510222A02C,SHA256=A868A3EB5C83D62E6E73B11928B9CBA814062C80604B35ABD8E43B3039ADF502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.348{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+11f14e|C:\Windows\System32\windows.storage.dll+11e956|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB100635)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834 10341000x8000000000000000356858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.348{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+11f265|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+e020c|C:\Windows\System32\shell32.dll+dfd55|C:\Windows\System32\shell32.dll+e086d|C:\Windows\System32\shell32.dll+e3e8f|C:\Windows\System32\shell32.dll+13ff02|C:\Windows\System32\shell32.dll+13fa22|C:\Windows\System32\shell32.dll+13f63f|C:\Windows\System32\shell32.dll+13f3d3 10341000x8000000000000000356857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.348{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+11f1e1|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+e020c|C:\Windows\System32\shell32.dll+dfd55|C:\Windows\System32\shell32.dll+e086d|C:\Windows\System32\shell32.dll+e3e8f|C:\Windows\System32\shell32.dll+13ff02|C:\Windows\System32\shell32.dll+13fa22|C:\Windows\System32\shell32.dll+13f63f|C:\Windows\System32\shell32.dll+13f3d3 10341000x8000000000000000356856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.348{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+11f1c5|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+e020c|C:\Windows\System32\shell32.dll+dfd55|C:\Windows\System32\shell32.dll+e086d|C:\Windows\System32\shell32.dll+e3e8f 10341000x8000000000000000356855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.348{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+11f1c5|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\shell32.dll+e020c|C:\Windows\System32\shell32.dll+dfd55|C:\Windows\System32\shell32.dll+e086d|C:\Windows\System32\shell32.dll+e3e8f|C:\Windows\System32\shell32.dll+13ff02 10341000x8000000000000000356854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.317{30B46F62-485E-6352-1400-000000008B02}10442236C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.309{30B46F62-4AFB-6352-2901-000000008B02}49285372C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+11f14e|C:\Windows\System32\windows.storage.dll+11e956|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072F32)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1a8f6b|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.dll+84d4 10341000x8000000000000000356852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.309{30B46F62-4AFB-6352-2901-000000008B02}49285372C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+11f14e|C:\Windows\System32\windows.storage.dll+11e956|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB072AB5)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072F32)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1a8f6b|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.dll+84d4 10341000x8000000000000000356851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.309{30B46F62-4AFB-6352-2901-000000008B02}49285372C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+11f265|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+11adf9|C:\Windows\System32\windows.storage.dll+11dae8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072F32)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1a8f6b 10341000x8000000000000000356850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.309{30B46F62-4AFB-6352-2901-000000008B02}49285372C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+11f1e1|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+11adf9|C:\Windows\System32\windows.storage.dll+11dae8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072F32)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1a8f6b 10341000x8000000000000000356849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.309{30B46F62-4AFB-6352-2901-000000008B02}49285372C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+11f1c5|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+11adf9|C:\Windows\System32\windows.storage.dll+11dae8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072F32) 10341000x8000000000000000356848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.309{30B46F62-4AFB-6352-2901-000000008B02}49285372C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+11f1c5|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+11adf9|C:\Windows\System32\windows.storage.dll+11dae8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072F32)|UNKNOWN(FFFFF802ED789703) 10341000x8000000000000000356847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.309{30B46F62-4AFB-6352-2901-000000008B02}49285372C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+11f265|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+11adf9|C:\Windows\System32\windows.storage.dll+11dae8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072F32)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1a8f6b 10341000x8000000000000000356846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.309{30B46F62-4AFB-6352-2901-000000008B02}49285372C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+11f1e1|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+11adf9|C:\Windows\System32\windows.storage.dll+11dae8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072F32)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1a8f6b 10341000x8000000000000000356845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.309{30B46F62-4AFB-6352-2901-000000008B02}49285372C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+11f1c5|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+11adf9|C:\Windows\System32\windows.storage.dll+11dae8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072F32) 10341000x8000000000000000356844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.309{30B46F62-4AFB-6352-2901-000000008B02}49285372C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+11f1c5|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+11adf9|C:\Windows\System32\windows.storage.dll+11dae8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072F32)|UNKNOWN(FFFFF802ED789703) 10341000x8000000000000000356843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.163{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+4f09a|C:\Windows\System32\shell32.dll+bb5d4|C:\Windows\System32\shell32.dll+ba37b|C:\Windows\System32\shell32.dll+b9e5d|C:\Windows\System32\shell32.dll+565b9|C:\Windows\System32\comdlg32.dll+13ab9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+9e39f4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+c43ebe|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+b1211f|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\74642fbac0d5c846c9416ea3241e65bd\PresentationFramework.ni.dll+14a55fd 10341000x8000000000000000356842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.163{30B46F62-4AFB-6352-2901-000000008B02}49285336䁌�ǘindows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+4f088|C:\Windows\System32\shell32.dll+bb5d4|C:\Windows\System32\shell32.dll+ba37b|C:\Windows\System32\shell32.dll+b9e5d|C:\Windows\System32\shell32.dll+565b9|C:\Windows\System32\comdlg32.dll+13ab9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+9e39f4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+c43ebe|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+b1211f|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64) 10341000x8000000000000000356841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.163{30B46F62-4AFB-6352-2901-000000008B02}49285336C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+4f088|C:\Windows\System32\shell32.dll+bb5d4|C:\Windows\System32\shell32.dll+ba37b|C:\Windows\System32\shell32.dll+b9e5d|C:\Windows\System32\shell32.dll+565b9|C:\Windows\System32\comdlg32.dll+13ab9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+9e39f4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+c43ebe|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\77ab835832f6408628e048d4594d076f\System.Windows.Forms.ni.dll+b1211f|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\58794c755f9dd3bac6a7a98cdd6530e7\Microsoft.PowerShell.GPowerShell.ni.dll+f7389bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\74642fbac0d5c846c9416ea3241e65bd\PresentationFramework.ni.dll+14a55fd 10341000x8000000000000000356840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.148{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.148{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:19.146{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FC7E2D5C963300CD9C937ED311D3EA77,SHA256=92FC1CDF3E3752A0AB77869409D488118660A705C3C42D6F151398F57219AF85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:18.679{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59879-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:20.335{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA27B8097EBE76C5741C64B218C12DF,SHA256=CE0C448AC840CBC83E6A2462356721EDC54262A1481F55BF2CF4A9610BA2B633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:20.508{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24E4CCAD8544B1B432009CEF573170F,SHA256=3AE114D3C15473BA77DC05858DC95B93C9A2123C6DCFD08BFADF1F4DA076EE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:21.597{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EE18F8610D709B9B238D4703657F6C,SHA256=BEAAACC10E93F7B6E36575643AD087C1604C50437CDC8AC22C5B1049A8DA48AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.008{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59881-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local49666- 354300x8000000000000000356919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.008{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59881-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local49666- 354300x8000000000000000356918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.007{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59880-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000356917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:19.007{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59880-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 23542300x8000000000000000356916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:21.388{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5716893BE6DB7097054EB22FD8BE97EA,SHA256=01042169A4E48D9BE7A0A0D08F2F905F3B0847161EBC4F481AF2453260107A02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:21.213{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:21.213{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:22.675{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9042935F23D81D89CBB4C6E13F7A0261,SHA256=1F57FD86D2F8A575B594B87ADB2CBE5F4B93A3DC7C056969653F824944FC3621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:22.439{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9A2AC4E96F4A09CBD6F288B11CC444,SHA256=ADAA13746FBCFE7B9ABAE7337CB34106BB0A4EAEA1663DD56C17DC74D6ED7F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:23.773{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D85C629919CBFF422B5D6A09B8D6C53,SHA256=A6169DDF8ADBC8FB15859C5ECD76E555F61DB7F6E7942F2DB3355D396A681662,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.881{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.875{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.872{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.857{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.851{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.843{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.835{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.831{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.827{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.824{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.817{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.811{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.785{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.773{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.757{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.740{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.687{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.664{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.641{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.621{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.606{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.548{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.544{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000356935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.472{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DE4A767C9AEEEB9217A08A17198D2B,SHA256=40FFF28AE247FECAD0EFDD235861287340E76778BB2837D2CA7F74AF13EEC350,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:20.316{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52254-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.225{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ISE\S-1-5-5-0-766743\PowerShellISEPipeName_1_16f65a82-f33b-4d20-b208-b341da8cc26eMD5=A5EA0AD9260B1550A14CC58D2C39B03D,SHA256=F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.192{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.172{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.172{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.172{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.172{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.172{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.172{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000356926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.140{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xmlMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.140{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_75547606-9454-4f48-b92b-8ccda80f2c1d_Untitled2.ps1MD5=7A6844685B3D2D837BBD9F1A9B145FF1,SHA256=6F6E28B5BDCC8487619726ACD45588FB1F90AD6253D4893F5B841BBB09FEB51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.140{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_511efe16-dc4d-4b4e-9aa7-7723bf779e6f_Untitled1.ps1MD5=8DB94E55CE6361B23ED53503CC001810,SHA256=0CA8AFF18E9060F00116019919CE4577F5349862A3A50A42F4EDC05AE37C6A24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.125{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:23.125{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:24.871{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49F7AD8BB1E4C16C1C310F44CE19941,SHA256=158E2E814370BB6B7171C86F77E57AC15253C717082E7EC40634319AB607760B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:24.758{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:24.758{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:24.758{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:24.758{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:24.758{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:24.758{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:24.758{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000356961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:24.500{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72388E809EC3819584CAFADFF4096D92,SHA256=D950AD894AEF6529F1C49D2EED6334FCBB495F7A0EAC35551993A7D44DE6D1AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:24.309{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:24.306{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000237059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:25.941{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C8A754DE8B3596F31FFEFCC6572D38,SHA256=80E53603035745C13C305F543C921DADE81D78CE5CF09BD9FDCF9E4C237EC6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:25.572{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E04CD6DF80F9E75210205B74E0FDAC,SHA256=F6FF50E979D588E8919E2CA6C39F450E072C787EB5E0A17F0D612833D010F3BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.989{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.939{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.936{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.933{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.909{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.890{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.863{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.855{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.845{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.838{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.836{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.833{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.830{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.829{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.827{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.826{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000356975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.645{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BAD43E67FFA026A372580CDC6C7BEF,SHA256=F288BEF8DCB5EB8A00CC74D7563DCD17F48F4689B6EBBC6E477B02070D6E269A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:24.674{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59882-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000356973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.324{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.323{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.320{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:26.019{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.963{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7BCB-6352-CD07-000000008B02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.963{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.963{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.963{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.963{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.963{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7BCB-6352-CD07-000000008B02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.963{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7BCB-6352-CD07-000000008B02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.964{30B46F62-7BCB-6352-CD07-000000008B02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000357037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.698{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339790206D5D304D6F35F5E9B3457714,SHA256=C41AAAB67C3F0B5D3A5976FD2AE8B7D81BB433B35232847B6651A122BEEC6F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:27.030{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0AA5D8AABB521E014647AAB6AA4EAA,SHA256=84399ADB5BAEC37DC7E35D6212837A3BC07B294AAB89CA23BCC05006463A9798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.346{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387B1DD25FB86029416B6451D6DB96D3,SHA256=C1282DF6D375F8EBCC0E4414C475B80A45A5E50C6B58ACBA0D0A24717C1D4368,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.273{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.273{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.273{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.264{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.264{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.264{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.264{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.137{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.135{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.133{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.131{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.128{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.125{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.122{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.120{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.117{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.115{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.113{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.110{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.107{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.104{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.099{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.096{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.094{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.088{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.085{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.080{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.077{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.074{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.070{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.068{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.064{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.060{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.051{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.045{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.045{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.021{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.018{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.014{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.010{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.009{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.006{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.003{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000356992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:27.001{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000357055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:28.851{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A84E51D981762BC41B807D47087BC249,SHA256=BFFCCBE83BB6D0B831579C1D199764BB955EF1B7A404702568820307A77462AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:28.749{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFFF721BDBA5745A4F8920887D8C02B,SHA256=C928EDF8002150B4E0C9B29D9137AFFD3A022CA30A85EF4904296F580861898C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:26.293{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52255-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:28.118{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8336E016FDB5B2E7B83A659C4C672B95,SHA256=305072A2CFB7E9DAE29370F84A0F6163D2DEB7B45C80CEDD2B1EAEA8E53D8D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:28.633{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7BCC-6352-CE07-000000008B02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:28.633{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:28.633{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:28.633{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:28.633{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:28.633{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7BCC-6352-CE07-000000008B02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:28.633{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7BCC-6352-CE07-000000008B02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:28.634{30B46F62-7BCC-6352-CE07-000000008B02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000357066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.782{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89A9CD1A2ED0FA060740C81079CA63A,SHA256=C12483C9BE80E8A1A80407590EB58CD6C1C3E29C4D8D354E2D1DD44936D63AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:29.201{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D35B364ED3A351B5232400D1EFB34B0,SHA256=D2A006D6BDC25769BBC3235F4D90AC05D2E74A39F4FA45D4C2064652D151AD39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.526{30B46F62-7BCD-6352-CF07-000000008B02}78206416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.326{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7BCD-6352-CF07-000000008B02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.326{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.326{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.326{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.326{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.326{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7BCD-6352-CF07-000000008B02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.326{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7BCD-6352-CF07-000000008B02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.327{30B46F62-7BCD-6352-CF07-000000008B02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000357056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.009{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=578CC8C947C6BCC6464AA5AACF3C9E65,SHA256=11837C21AC6F06F928A0F714E9F6EB52F60888A5525D6C18196FCB6A4B112E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:30.802{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E7674D3CA48E605D5209F1B9B29428,SHA256=AAF6AE5A2224726E3F571D2C4868C7DB2CFF8910981DC9A9FC201FEBADEE5640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:30.277{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF5377F96593C8D1578823FAC0EF951,SHA256=B505AF71D4E285D8EBA8AEFEEE179D3D265A55F721C3DED6C28754C99A1BC205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:31.861{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B786D5BDEDA415F7C01262AA8F940A6,SHA256=3AFEAB145B33F3E6F9240240A35C25DE5AA723279D698DEBACFB2B39004A0009,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.997{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.993{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.990{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.990{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.987{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.986{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.984{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.983{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.980{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.974{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.963{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.960{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.958{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.950{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.947{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.934{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.926{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.918{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.909{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.899{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.889{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.861{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.855{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.847{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.838{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.830{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.822{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000237066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.819{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000237065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.342{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBB59AD2B50FE6898F0D58F77C364F4,SHA256=91190F3F91EB2043D6BC03FD7D7CB1213ECC015F0F02108C7082C48B43DEA937,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:29.759{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59883-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000357077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:31.439{30B46F62-7BCF-6352-D007-000000008B02}94084536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:31.254{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7BCF-6352-D007-000000008B02}9408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:31.254{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:31.254{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:31.254{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:31.254{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:31.254{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7BCF-6352-D007-000000008B02}9408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:31.254{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7BCF-6352-D007-000000008B02}9408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:31.256{30B46F62-7BCF-6352-D007-000000008B02}9408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000357068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:31.105{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=58D5EB462E070FC53A6A266ACBDB2CBF,SHA256=A72BB66EA50885553CF7D89383F48C5BDEBCF78CC9AAA50E3B8B81920EB7409B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:32.989{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F88E63D76FD2D9CF17B8D12871684B,SHA256=3B1300EFF48E420E0B33E174B62F179DD0B89AD8794EF494F242A8DC0FFD0F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:32.958{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:32.973{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:32.849{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5862A88F85E551D21B62995F74DFDADA,SHA256=CF888AF957B5E7268ECD62DB8998E800BF1BBD433F3685D246D18DEAA7D133EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:32.842{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-213MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:32.000{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000237100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:33.927{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24DD48A1AE0E13F5DDC00D6CC22C5FE,SHA256=FB7A5B68F36033DC31B7416701E501EA9657115AB1022E0FC00DD6657876DECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:33.843{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-214MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.912{30B46F62-7BD1-6352-D107-000000008B02}44647588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.861{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7BD1-6352-D107-000000008B02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.860{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7BD1-6352-D107-000000008B02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.859{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7BD1-6352-D107-000000008B02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.859{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7BD1-6352-D107-000000008B02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.858{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7BD1-6352-D107-000000008B02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.858{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7BD1-6352-D107-000000008B02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.660{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7BD1-6352-D107-000000008B02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.660{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.660{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.660{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.660{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.660{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7BD1-6352-D107-000000008B02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.660{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7BD1-6352-D107-000000008B02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.661{30B46F62-7BD1-6352-D107-000000008B02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000237098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:31.411{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52256-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:34.896{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC15E8832B95BA8B28FE29C9FB94B59,SHA256=227588BCA9A433C3656EF8ACF69D4B5256B6988C71DF21FACF12501EC4A13C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:34.693{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E51B8C055CC2FAA93C3833062604AE7F,SHA256=ED26EAC99C0A4415AF126DAE2EDE3DD8CDB0F9E575A0835BF602DFED8DBEEE89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:32.566{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59884-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000357106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:34.538{30B46F62-7BD2-6352-D207-000000008B02}71248716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:34.337{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7BD2-6352-D207-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:34.337{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:34.337{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:34.337{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:34.337{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:34.337{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7BD2-6352-D207-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:34.337{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7BD2-6352-D207-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:34.338{30B46F62-7BD2-6352-D207-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000357097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:34.036{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26288DBBC3E7CA04339D193FF9C2D6F,SHA256=32AC14194F2B37FFAEAFA6B492AAD9218A9EF12BB1CB9EF791EA3F2F38901BBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:32.205{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52257-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000237103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:35.976{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46942C447F496E1C61F3511CB5C286C1,SHA256=8DF52394F82D9CE8256AE162D1F1DA3909F42C2523B1B615ED9FCEB85E1C8B37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.238{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59885-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000357118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:33.238{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59885-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000357117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:35.094{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFB6DDD5C5026710725651A59026167,SHA256=5A9B27FBC5111BD051B88F20D794B29BA0568D71302D5B1E0449AAABD9B9D201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:35.023{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7BD3-6352-D307-000000008B02}9480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:35.022{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:35.022{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:35.022{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:35.020{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:35.020{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7BD3-6352-D307-000000008B02}9480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:35.020{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7BD3-6352-D307-000000008B02}9480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:35.019{30B46F62-7BD3-6352-D307-000000008B02}9480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000357127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:36.165{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94804B0CCCF21396A4765962BD6250D7,SHA256=8BCFDEC2E6C62C0A4F61BB623ACCF9AC0BDF574E521EC0EC8575855D7B5F0F9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:36.141{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:36.141{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:36.141{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:36.096{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:36.096{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:36.096{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:36.096{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000357129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:35.728{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59886-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:37.167{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C34E5C62148C23B622CA2D8831A28E4,SHA256=7E5999208B1E6C250E3D2F943F577E6C1013A2D2FEF90AF44D3A6BA217A67C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:37.067{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6F532048D537AF04CD9C1567B43AF2,SHA256=69F8C68CF247121203BAFD760C3900AC3A094AC163FF8A8127EFFEA15E47E5EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:38.430{30B46F62-4F33-6352-CA01-000000008B02}6212ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\recent-files.lstMD5=02D879B471C2ECBEDD86CAAA27D05E9F,SHA256=562CFF7847D34CC36BEACB1B9E763AB60F3EF1655051B4930157E339A50D4D3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:38.319{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:38.319{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:38.319{30B46F62-48CF-6352-9A00-000000008B02}48044216C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:38.301{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:38.301{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:38.301{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:38.301{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000357130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:38.218{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30DE12E4B0EC89FF3B597005F5CA78B,SHA256=78AA8D65F9E2D1CD0CC6822BC73C956A6E5FDFD1DE174098C0565D6850BDA2C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:36.572{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-52652-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000237105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:38.147{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FACC42DD35E94C0125E91DF8E471DF3,SHA256=FEBE6250D46DFE5634BC98C5DE7DF6B1E3DC2238D87646DB61F2D51405CAE09F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:37.394{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52258-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:39.231{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E16CA8102D15EFBC794C3D79B8024D,SHA256=2B4FF5E68D908012AD9BA5CB1623ADA89E2AA4E70AA86D01A74BC9FE40FD2466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:39.287{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1998C277E8EACFB4D862DD529F3409E2,SHA256=64231F26D851FF28EC84873D816DC4233CAEB9705F0FFD0CEFB988EE31B8619F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:40.298{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2056D2213FDF75843B47ABAC17D41ADF,SHA256=E3647B764138B7EDDF579518248EB2A92D0BB64298E5B8265BA61F297D64C190,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000357141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localInvDBSetValue2022-10-21 11:00:40.606{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Python310\pythonw.exeBinary Data 23542300x8000000000000000357140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:40.322{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E442F69B9B30354033B62F7D5498C32,SHA256=0AC539DA04A361B305E8E93C30D08F8A93FBDD79D74AD9BCF3D3975C0EFA12A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:41.388{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CEC00CC0DD798C22A0BFC3523C27870,SHA256=A28B2FFCAF1B1D50A11495C84229C169DB96D585C8EF4F5008CC65078A0835E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:41.376{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A871699C07FE601DFDEF414DDEA80A,SHA256=7F31BC91B84AA427B1E774BCAD4077A1A45933C4D82436C15F7E6A8980C3EBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:42.455{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FBC3B1D8828A379BAC49EBDF1E5A4E,SHA256=241B7B831559AAF2232102EDFB7A7B39EE5C3F9F852AC32267271031BCE7C1B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:40.739{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59887-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:42.527{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45ADBA4180F55810658954CE1DC7BCA5,SHA256=132EE68DF80BBD4E73F452E30E4DD78A7A1A963DEC7746ECCF8B412F1008AAE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.868{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.857{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.851{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.833{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.831{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.816{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.808{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.802{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.800{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.792{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.786{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.775{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.748{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.730{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.717{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.703{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.666{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.647{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.627{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.601{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.591{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000357147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.584{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D87B82E98DE9988FDFFDCE993C87F1E,SHA256=40DC8CA6E0B8A03E71F647819E9C1A79EE9AEE02B7AE57ED6DD76A9CC88CC0E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.547{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:43.544{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000237112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:43.525{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C366A660262302889012A313B5122C,SHA256=E3EF8A36E205AD7DB7274500C6C26AFEF81AAD55903DE789AF2F3CC8BB89F34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:44.588{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE1CF0B4ED16A6011E6AFDB0E1AEE7D,SHA256=98AA97B0568A528062820731D4CC04DED4E5FA52738E15203EC2AD4A61A9619E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:44.606{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C2B311363094DCB3EAE00A029A9331,SHA256=792D1EEBECC4F9DE4B243E0CC397C3C7E1200A09CD49BB5C0F084FE4631CF708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:44.569{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-213MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:44.290{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:44.287{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000237113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:44.273{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6F536CA932A62CB0EAFFB3BFEEC2F34,SHA256=EE1AE62D3EE196781B44AE7F9D5919CD253417402EBF05BF1FC50E05497BE1B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.705{EFF5EEA8-7BDD-6352-9806-000000008C02}35642996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.673{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6920AC3FB6118205DD3B7AD094EE239C,SHA256=B116E464840DAB0443BD3FA6C7D1F2D99377C78F1992282E015AF886B0291CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:45.659{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6247F593B4819081A00939DF253B27,SHA256=099133FB5CFD8ABDDD36C3468EBF0E488C70D06E17EBD3AE10266079A2A81BD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BDD-6352-9806-000000008C02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7BDD-6352-9806-000000008C02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.548{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BDD-6352-9806-000000008C02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.549{EFF5EEA8-7BDD-6352-9806-000000008C02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:45.244{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9CAFAD78B4C5753D01C34BFE0AB9EA9C,SHA256=C9CF03F2A0997F6DAE05CBECEE172EB5090FB3940F7C9C7F72C9E50B4D98F80E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:45.584{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-214MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BDE-6352-9A06-000000008C02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7BDE-6352-9A06-000000008C02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.895{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BDE-6352-9A06-000000008C02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.896{EFF5EEA8-7BDE-6352-9A06-000000008C02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.754{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08F67DCEFBE9F3631BD00F2AB4CFFAF,SHA256=A36AE69A1803B75D4C7E2A2677DD481D37002392F905E34EF2BE5E180A97F283,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.996{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.991{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.988{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.985{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.962{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.915{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.911{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.907{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.882{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.872{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.850{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.845{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.837{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.832{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.831{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.828{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.825{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.824{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.819{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.818{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000357178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.735{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5709261D96EDCF11B80BD1BE9F8685A2,SHA256=63E9B353ABD4A657BA7257E22C82612154CF202CAA7A473935C75C0B510F0092,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.419{EFF5EEA8-7BDE-6352-9906-000000008C02}26283452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BDE-6352-9906-000000008C02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7BDE-6352-9906-000000008C02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.220{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BDE-6352-9906-000000008C02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:46.221{EFF5EEA8-7BDE-6352-9906-000000008C02}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000237131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:43.339{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52259-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000357177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.304{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.303{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:46.300{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000237186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BDF-6352-9C06-000000008C02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7BDF-6352-9C06-000000008C02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.907{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BDF-6352-9C06-000000008C02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.908{EFF5EEA8-7BDF-6352-9C06-000000008C02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000357263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:45.742{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59888-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000357262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.118{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.115{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.113{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.111{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.108{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.106{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.102{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.099{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000357254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.097{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1456856A23D01E782FF528C0F9CADA1,SHA256=4D78A433270B69427DF1AB18F2F09A43B8FA74D41E43F5A461EFE4C0D5F2F5CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.097{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.095{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000357251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.092{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.090{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.088{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.085{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.083{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.080{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.077{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.073{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.069{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.067{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.062{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.053{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.046{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000237173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.638{EFF5EEA8-7BDF-6352-9B06-000000008C02}35363432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.042{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.038{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.035{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.032{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.030{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.028{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BDF-6352-9B06-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7BDF-6352-9B06-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.389{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BDF-6352-9B06-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:47.390{EFF5EEA8-7BDF-6352-9B06-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000357226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.003{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000357199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:47.000{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000357264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:48.148{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22650527BB1D9F65E128DA53721AF56F,SHA256=A335FD671C7458832495B1FFAE46B2A3E7B9B4599705BF4FEF88664A95510713,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.759{EFF5EEA8-7BE0-6352-9D06-000000008C02}1052208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.758{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BE0-6352-9D06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.757{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BE0-6352-9D06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.757{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BE0-6352-9D06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.754{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BE0-6352-9D06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.753{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BE0-6352-9D06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.753{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7BE0-6352-9D06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BE0-6352-9D06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7BE0-6352-9D06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.589{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BE0-6352-9D06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.590{EFF5EEA8-7BE0-6352-9D06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.126{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3455ED2A3C72659B7E8241CCE6582616,SHA256=27400F7ED4C21343F77879BCA932C55CE62B03962CE2290C21784EEBECFA02F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:49.271{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98972E829A975B1365F6C15855FC25F,SHA256=75BD1ABCE092C1D13FDE4482F0C6510EE4CDB5A8FCB505BB76EFFA5501EBB4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.758{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9BB82F2D766E6FB4338075D8ED2C49A,SHA256=1E4BB3CBC76B9300602A18348384907794837C5A52C8DB82FD24A073A73F9333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.256{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1913F3E961E98D3343C298A93E327D4B,SHA256=8E6B5C5F336E1E3575558BB0F34F6AD0A87629C142118D95FCFA83BE3878F018,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7BE1-6352-9E06-000000008C02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7BE1-6352-9E06-000000008C02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7BE1-6352-9E06-000000008C02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.227{EFF5EEA8-7BE1-6352-9E06-000000008C02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:49.224{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C15FD0ECE780CDE9396334739F4440,SHA256=42E2CBA53CDDCEC5FA18DF81157783F96302E0E8352A671C39246FE8F3C59917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:50.307{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9172A8813B5A8F37912A6DA302E5A2C6,SHA256=9CFF1DE68001438DD72DC54D9EEE3DDBD7036EFB52FF4FA6712C24AE39A12066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:50.398{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EC5624BAB317DD85B1CE12CC450D1C,SHA256=EBE73CC5852077FDD8505DBF69BCF81567B49C41931C8EC1F373A3B44A3A5102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:51.449{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D7126EB12690F8B713F1A02C532AF6,SHA256=04F448063960E1C18BF25B3D3A93556EB7E38C9811BBBC0C7B90706E2BC77606,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.995{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.992{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.990{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.987{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.986{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.984{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.983{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.982{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.980{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.976{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.972{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.961{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.956{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.954{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.947{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.945{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.926{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.919{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.910{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.903{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.895{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.886{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.861{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.855{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.847{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.840{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.833{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.825{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000237227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.821{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000237226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:51.388{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368C76CDA8651BE8F1F236CE111458BF,SHA256=935255CE3D74AE237549FC7238A9BE90AD0C6892D5741F1185BA8D3FD518333A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:48.470{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52260-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:51.199{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=A80AA9DC92361C5182CEC755A237A9C7,SHA256=6D4143415689ED6A9778F8A8BC241D37653EE5E12AB0EFA697443D8A41033808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:52.633{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E023C6F6CACFD253B4122DE891F89592,SHA256=C20B4FA0D31FB5D47A7E898B6485F45B30084F4434B39195558F68EDBA9FD1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:52.682{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9C77D69E8B3FDD36126B6C7EE9589C,SHA256=45E33F8C00B1C52253C48FAF2E4FD0BC1610038CF5077E1743EC35159A2BB0F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:53.752{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDC34EC19C85B0B86EBA74BA97B5004,SHA256=BA5FD0CBDDA222A358327CF84E0B8C4345089B9F838C27F648CF214A2EA8A6EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:53.756{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1B088DF453F686B9F88DC348DAB9B6,SHA256=B4C7EB94673C5D0AFE2F9FD3B7E646224E4DE8681BA2E408462F61262A0B4A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:54.832{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9DE098F774DBF66C402590B2D97FF0,SHA256=346F72CE76497E10302B3020F63467B2D70FD75F622BF8579530EAF35FD43D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:54.854{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626AE93B5AB8107F183097F73E9AECDD,SHA256=0950181292A21A6AD3B2DA6973AA9A89DD211D2CB619FEB1A3A62EE8DF69604D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:51.764{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59889-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:55.924{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A4ECF5D67B9B2E17D67FEC51B21E19,SHA256=AFB57586622059E3CF65F5561DE0104674813B2E38E91B0296D334CB3CBCFBCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:55.823{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E2959670401489138E0C34B08DC8BB,SHA256=8A824D609C03A23552A405CED7119B10F33D6DC562751BDF6E19F51658584E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:56.922{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE04C575947F763FD2BC5F0D89639D0,SHA256=58F6F2EC2157775384F99F5386138002B08D85F4F2D409370EA726042AFB52A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:56.221{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=6A0FA37F84E79F78E30B03845C4ABA79,SHA256=E773DDA060AC35E0B6A194F6DB79E395702B08F70C18F00D5F13C60DC67C87F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:54.367{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52261-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:57.002{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337B405A71D8A83B6BE501B8D3273396,SHA256=288BE942C5E66167D698D88D5F1EA5C04AC3DB45183C12CE7CBA862DD044DE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:58.078{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1B347EBF11B81C9A60A15162066F01,SHA256=CF2F63351E820C4302EF81D6D9A1F2DC1DE4ECA7B3ED3B9404844076BBA2B465,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:56.771{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59890-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:58.043{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4A19E51793B8F860ED5C59DECE5B85,SHA256=80EAAC907856447811AB28E007AFE4C2658908F8C282DB60684DF0215511F883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:00:59.157{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64201CE8A8B5B72BBFC7434DDF82152,SHA256=C82F7D8B8D8B2591D65B87ED8C43BF2EF98EE6EB2A75EC48D55D6EE411604C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:00:59.129{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804CA087261811B1B22B4C66F4EBE69F,SHA256=2C98072D94BB76A75684B01FD4FDB2DDAFA03954004E80046CB76BFFF793137C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:00.238{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1E38A701403E54BF3A3E630F9961E0,SHA256=EBED92B99810920AC8F6DF9A3D415A6BDF9C3419477B07DCF21E9602FF6C3DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:00.214{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC822FB6E9CEF4E1FF7D453A5E81BA7,SHA256=F33D2646C2AEC6466DD0BC0FE22AFB9C515D03948B548488470E0A92C8D46187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:01.314{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9BA79A25E14BF9314E5114B6E3F601,SHA256=28D5FEC41D136554C3C482949F2A349B6EE3F5963F23BBDC9600191A3D89EC87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:01.548{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=04D438A2CF0F7838890234BCF52142D5,SHA256=F08803E11615002E071F10269E3ED9A1F8E79A5F943075C2DB6F5539C94EC602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:01.316{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40DD39D52189077C120A8306D9D18E0,SHA256=A224945904201447280A9630FE7DFE22914588D20AC5AE68CC1F19F08EEFD03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:02.415{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE8142682F18408A0963CD14A048908,SHA256=74081F8459BA10C4858D4B1DD1A067A32BAB64C553B331B161F1FCAB1E4AAFAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:02.367{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42CCEDD0584C829BA04A2DC5B7B6A2B,SHA256=87AE6377CD5346374D6F024A7FF1F5B868A1BE69695C31048344D5C6751197AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:03.501{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192C9009CD137152DF359847BAE5FAB0,SHA256=507CC5522DAB90AE7F1737D994C728D8E29F2659760589C71E9865C5EFF52ECB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:00.397{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52262-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.969{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9DA69DD5A2DC4E24409CA0BA6D2D812C,SHA256=BC1F263E52CBDFAD58BE8303F94F84E69732ACB2835BE8688AE98044DD65B455,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.786{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.762{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.754{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.743{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.738{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.723{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.714{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.709{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.707{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.705{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.696{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.690{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.676{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.667{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.657{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.649{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.622{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.610{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.601{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.587{30B46F62-485E-6352-1000-000000008B02}3089392C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.587{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.587{30B46F62-485E-6352-1000-000000008B02}3089392C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.578{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.533{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.529{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000357283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:03.454{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D46D1003D0D4AEF3392E53A29B82EC3,SHA256=4908783C07D84F2C84BFF7956A1DC7E5BCA235230CF3B2E939DEC2A5B124F094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:04.698{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9BBF04F2BBE4171286C629A6FF24CC,SHA256=072B47042F8C7E8EF7DBA06447A70CC64530A0E67ECA87BB900C86F5D874F7CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:02.729{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59891-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:04.587{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904E6F89E615BE3F4C0C2C2F5472107E,SHA256=1F21A40781A3C90F7F213217B803321E433ADCCEA6E918B44EF4407F52AE4516,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:04.376{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:04.369{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000357314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:05.822{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C0790576C833C6C2CADF863DA77F04,SHA256=DC446CEC51F67FCACF7AD887E447A9DD09F87F03410A0D3EA3B0A64CFE25F9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:05.949{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A992A78DFE05427E0B517F5AF497D7B2,SHA256=2CB2CB765069565A91AA17871793CB2E30FEE3FDBA3847C36350922A832B8DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:05.684{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A8605B79B543393C7EB9A259FFA5B0,SHA256=089D0A3454C1312FB3E272206EC84CA50E31FFF7737A4D3F832FE9EA017B5ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:06.782{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D290A858A0B6E8D673DB573AC51DBC8E,SHA256=825FB406F99844E74467B09D8C06D2D198343D8829824C254B620A8C03A60334,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.988{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.980{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.967{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.959{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.955{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.950{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.947{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.946{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000357320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.944{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A403646176AABA057402E9298D36F2,SHA256=BFF910CB4ECF195F0BEE25610C4D5D8422C48A8DA22CC4365F4116B0FF1A072C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.940{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.940{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.426{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.425{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:06.423{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000237273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:07.852{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56ED4DED1E024782FDCF42E35EC194D,SHA256=9E150003830A595055310D19EE7DC468ADCEC031BE29F5FCB8C57F6ABE548542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.427{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B730F4DFFDD15C30AAA118E5D930DA71,SHA256=ACD7C036F91D48B35D9F6E2D7039BE1175E0152C2BC9A8D618A5AE6B862B73F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.309{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.306{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.303{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.300{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.297{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.291{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.290{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.287{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.284{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.281{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.278{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.273{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.270{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.267{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.264{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.261{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.256{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.252{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.250{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.248{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.243{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.237{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.233{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.226{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.221{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.218{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.216{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.215{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.214{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.187{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.181{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.176{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.173{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.169{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.165{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.154{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.098{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.096{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 11241100x8000000000000000357332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localDownloads2022-10-21 11:01:07.093{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\9887e7a708b4fc3a91114f78ebfd8dcc2d5149fd9c3657872056ca3e5087626d.zip2022-10-21 11:01:07.092 10341000x8000000000000000357331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.092{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.056{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000357329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.032{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000237275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:08.929{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D5BAE96DA4553DE89454CB56570B15,SHA256=F576C2AF51053C489074BC5C0C92433DF22C2661BB0A4FBC641B0ACE77AAD87E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:08.185{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000357372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:08.024{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1528283452279E3E4C3D0C9499D70E53,SHA256=AB845862B8EB0ADC717C08DC86AD1446D58D3A6DC6A8D472F7A7669204588C55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:06.388{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52263-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000357375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:07.857{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59892-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:09.124{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F4C559EEF20C349D353F883CA2B12B,SHA256=7A9E92C5ADCC326145821350BF73F209C5623794D5BFB6F4D850B8BFF75623B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:10.141{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9ADBB889147810CFD19CEBE6B29AAA,SHA256=68A608489DB9F41B45DE696E6F5C51D8D59612E0AF33129D879D03FB3545B851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:10.007{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD61B95AB1ECF0CF5D191F6C495A070,SHA256=DAD3694D14925E9550871C4B97679BF0E2EBAA6D693A10D0D370C7D0352348CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:11.326{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=418B84CA25EE90E7C6B447FFF1EC9700,SHA256=E81BE67E4DE0AF82151AB4690307E72EA56C5650A0F049647ADDCB66AB7E61C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:11.226{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6149192264BB29FE1C28787553E3E81C,SHA256=D94D6CC6AB2B6C9C22D2D326D06887F601DFD70093201CE0D38C38242AA647D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.994{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.993{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.992{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.989{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.985{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.981{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.967{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.958{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.955{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.926{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.901{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.878{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.872{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.863{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.846{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.839{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000237277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:11.089{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722952DF5BE4651CD0756A6A12E077EE,SHA256=025C845473C88A09D94D070FCB31E2F8232F2C0E8087A7D5D05B5910AEEB88CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:12.243{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1347079EA27ADA709B85F8C5A88879EE,SHA256=F7F7E547BEDE3726DFBBBCA1509933B275E69B845944FFDE9AA098A9483F78A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:12.270{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0EEC81F6BBEB86C19F594B4D1E9513,SHA256=88B68DD081AE2511F755B901EC628CE13B203A251F7D5344BBD5413BBBD517D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:12.034{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:12.025{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:12.022{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:12.019{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:12.016{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000237308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:13.329{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C089D78E4871EFBE19F1AF3F693482D4,SHA256=CC4700E4C34C5E7F181585B3A3D1D1524B7DF3038E1CFCB196528ED8B2B23715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:13.328{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E033B5514E4ACB7E179476349E7245A9,SHA256=0A555E379D542BC0933193632546477018DA1EEC74009D41931EFA4B35030656,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:12.861{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59893-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:14.446{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCD0A56B74663B334D8C3C1A1C4F787,SHA256=4B530B6FF7E03B4BC20FF4226301934ED0140AA31B346BD160BF9FCF5BBA8A74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:12.297{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52264-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:14.513{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FA7CD63B28E345A3401D7C1EA92E51,SHA256=FD2A1BDC8F29C5FA48559FBC8E7A6E8E2E10B67B64F2A6C98D3C5BE8108B2893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:14.431{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:14.418{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000357383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:15.546{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB044D33BB6FB63E7EC8B71A644D522B,SHA256=9C2E840B27368C3D739E5B0E12237823AA40CD8F7FBCEBD92CB70878E97BAF27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:15.491{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C254800FA688512F16F78347BA996A41,SHA256=448D42E58333BE4256F0E558CFD028F38D04DAC753DCF680702989BDEB88CC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:16.564{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4C96C0FFDD3AC1721989C88FA86935,SHA256=8A763563639106F70C423EEA03D0286D1501313FE70AA8C8EE514867A99A93D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:16.681{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6258F9D7776E3BAC34873726A6C60010,SHA256=F8828F2C568F72A7D7A709A4AFC2628B56E9FB536C078362FF4BF20BD81FE89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:17.665{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5CA594A197C77ADD74C11FC5C76EC84,SHA256=CDDC4B78A8F3F4B80539D581A330B066D8364A4D7086BD8E1DED92E9164B0399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:17.777{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339A671A074E869D6ED16F4D6AF871E0,SHA256=161791D09C11763DEBD3C2A007C49511A04F6AAC39A57B372435D658BA3D0A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:17.210{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=8DFDD5447581677A9AF7183B6163E484,SHA256=C7E931B72307BD18F57C335AB0B966A6E998552DC83DBFA3AC36ECE3415E6CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:18.784{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813D8F6EBA06B1CFB212D4EA8716E7D7,SHA256=26BFD0D0314F05276B09EA947F3066D4567C68388D0E2C0EEE10EEB9B071F26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:18.853{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADD60175CEEE955DAF3BC4FF50E68BF,SHA256=A58C472741FEBE100533F5687F29BE24FA5F6358C459E4B6E9936131257E1314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:19.930{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C69F6E6ACEABD95FD61AED62DFFDB5,SHA256=B097A808C25E2E102A8DFEB7B3F341EBF44F5E0950B1FCBA9B6E140ADFB9BB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:19.895{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A2FBA921CBB9BACD9BC515944D54A5,SHA256=1347259544868FEBBFCF6570F1D52ABE264A048A0173061F2598DD99DFD608A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:19.320{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:19.320{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:19.320{30B46F62-485C-6352-0B00-000000008B02}6284024C:\Windows\system32\lsass.exe{30B46F62-485C-6352-0A00-000000008B02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000237320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:17.433{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52265-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:19.510{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2172A3B160236E805C6E5C7826D7A41E,SHA256=45F56EE8325BB64076A3D78CB4C5C22D7BF121B8C8D5D97718C7936C69FC3CEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:18.505{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-55406-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 354300x8000000000000000357397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:18.987{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59895-false8.240.219.254-80http 354300x8000000000000000357396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:18.967{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61589- 354300x8000000000000000357395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:18.966{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65331- 354300x8000000000000000357394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:18.846{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59894-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:20.352{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CF54DE49D4B071BA670E41CCAFED8768,SHA256=1C682160A0F1C255C59ED32723E08EBB127DCB2A978B821880AAC50E0BDC4E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:20.213{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000357401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:19.847{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59896-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000357400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:19.847{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59896-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 23542300x8000000000000000357399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:21.337{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21C208A89EF51F0598ABEEB57F30C455,SHA256=CA6125196D427D79CB936DF266C61BDB65CEC68189A364082D5D773D4870A02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:21.014{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247A43DE9FB63F3BE059B9490EBFAF9C,SHA256=EDBDA062AFA6C090E0230612E080BEC8DDD934FD87C7ECAB709594E552B02666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:21.019{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578C4C3590A800B539D00097BDB87161,SHA256=266CD667931E1D8BED1A96C5BAA2D3382768679BFEB295A06217FD0F70977FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:22.115{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F80333E4CDA3CC2BECCC4F50A5DE78,SHA256=576755EF810FDEFC5E96370C66D33A488B5C92FA4CC2CB9B1BCF5AA5849E94B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:22.098{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB342C96FA89989CCB3C7DC077C0660,SHA256=4CD3041CB4F1B6A1D2AE7F9A7BEE2EC7C6E367A91384C14308087F54619E57BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.755{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.750{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.748{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.742{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.740{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.734{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.723{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.720{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.718{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.716{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.710{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.704{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.683{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.672{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.662{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.654{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.630{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.618{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.610{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.601{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.594{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.545{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.542{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000357403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:23.239{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248EA805B66CACB964EA96736D7C20CB,SHA256=9A2007E9888CF4050376B795F75FD1586498B4068AD0A6FEE5CD945D7D6BD71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:23.192{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7909915D2FEFBCDCF408C5A7A03D9D7,SHA256=CCAD037D397FA7AE99E90FB6231E6B38F2D01D7E34F356FC9DC8ABF183C5EF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:24.282{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E91300F9189395913F5A5816944262,SHA256=F5BB0F019078AC9F8438D376C39CF524303B6721FF5A2F9FF299BE05FD20E4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:24.277{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBFF3125AAA282BAB6E4EF519D1949A,SHA256=A54154685380EFC90296115DE0DAE13B3C61CF6BC1CEB7729BC28E6BBBBDD672,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:24.210{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:24.207{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000357430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:25.390{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B632D1B1F2DCEBD5E4A788B6CCEECD24,SHA256=B5E6F494614406BA21B3B074BDB1DBCB8633C6BEB6CB757176BE74490BEF70A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:23.430{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52266-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:25.350{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA58DD5DA2A2EC7366584CB9E505D2C,SHA256=03853FF17DF816DE676639A31580592EBB71477CF6E6686D7867D76CE46EA604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:25.334{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2B3B112A70554A778096AF78B0520813,SHA256=E102D691E425EE0953A0488290625440AC9A5C18BC93A0AC102F63988EEB9CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:25.098{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=883EAB91BB01FFEBB101FF53A2A4FC8F,SHA256=5FBA43C16337F044A95C59AEF847428ED3D1D221A6071DF2011BE98E8DA3D99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:26.445{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8A4222A3BC159CA261D4A206DC9EFD,SHA256=AF6F8DCA2F810F4AAFCF20838B9B2D80583354859B5C79FF5285D20B8A14828D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.996{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.993{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.990{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.987{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.984{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.981{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.978{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.975{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.973{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.970{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.966{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.961{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.955{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.952{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.948{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.945{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.944{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.937{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.936{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.915{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.910{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.904{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.900{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.895{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.886{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.874{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.826{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.824{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.821{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.800{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.789{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.760{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.754{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.746{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.739{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.739{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.735{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.733{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.732{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.730{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.729{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000357438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.458{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D760C0DED7AAB4EA6907A2157EEADF,SHA256=EF2849D9F2FE717EEAFE95894FF1B6E83202ABA10DA326E60CD4CBEC1CE02E64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.222{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.221{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.219{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.032{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.032{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.032{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.018{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:27.524{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D799BAAD9EA77B5E43ADBA92327AC5,SHA256=3ACACD4FA83C83C60101F222C5B304C91FD66A4257FE6015FFFD7E46CB9B1331,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.975{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C07-6352-D407-000000008B02}9396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.975{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.975{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.975{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.975{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.975{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C07-6352-D407-000000008B02}9396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.975{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C07-6352-D407-000000008B02}9396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.976{30B46F62-7C07-6352-D407-000000008B02}9396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000357492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.559{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D415C9504CF09845DD7EC7B99573E7AE,SHA256=5443C2C17B1971D6372048EC9D3C6095D436BCB554E161A6850C043B1DF01A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.392{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CD7ACD5CFB5FA08A5FC7816A88F22A,SHA256=917A92B8A4D8761181928D5AA30B2A0D40BF130288D8EE9659EBBDB55B6398FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:24.790{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59897-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000357489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.028{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.025{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.023{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.020{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.018{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.014{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.011{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.006{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:27.003{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000357480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:26.999{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000237333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:28.615{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28E2E54745BBE18E1169E6AAEF0C49F,SHA256=3A104D7BA101C5174FAE8B3214535F77AF73F875D16A56C7E1C76AFE008801C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.848{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C89D8D42EBD802C47B15284534EFD5E9,SHA256=92ECC6B33B5F867F422587D1698604303E7EB9C578AB6CC3C6CD90924490E625,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.830{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C08-6352-D507-000000008B02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.830{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C08-6352-D507-000000008B02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.830{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C08-6352-D507-000000008B02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.829{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C08-6352-D507-000000008B02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.829{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C08-6352-D507-000000008B02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.829{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C08-6352-D507-000000008B02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.660{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C08-6352-D507-000000008B02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.660{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.660{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.660{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.660{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.660{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7C08-6352-D507-000000008B02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.660{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C08-6352-D507-000000008B02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.661{30B46F62-7C08-6352-D507-000000008B02}10080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000357501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:28.575{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BBEC2047BF45CDB5C98AD38A398DC6,SHA256=1CAB5E4A5C0376FF37D68518F67932629A4F9309BFF519613AE2D4AD15234C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:29.698{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903B09340D3EEA056657B21B67BB5368,SHA256=ADA94E103041FE673DE53ABC30B2B367CABE0B8BFDFCEF5A4D6C94BB9CE34D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:29.706{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF48B0E4A3AC9AB4CDBC45113B7E533,SHA256=3C9C5123867F00AC41FC5BE89289397840A3113C30532C63E90ABE970C379A1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:29.461{30B46F62-7C09-6352-D607-000000008B02}98127832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:29.261{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C09-6352-D607-000000008B02}9812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:29.261{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:29.261{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:29.261{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:29.261{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:29.261{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7C09-6352-D607-000000008B02}9812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:29.261{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C09-6352-D607-000000008B02}9812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:29.262{30B46F62-7C09-6352-D607-000000008B02}9812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000357517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:29.176{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E940837DF12A8439F1E6D23CEE3F2002,SHA256=C481AD20CB6005F7CB2ABA30329FC1E505E1210F7A9DE174FC971D3E4BF8451A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:30.778{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F243379CB09AFBF40B84CA169B48EAC8,SHA256=B6E8E3AFB4B06B821DB4D88FAFD5FEF3F0549A507A465CFAEC070EE8E123C41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:30.796{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213DD7EEC34544598E369A99FC6EE0E3,SHA256=B94B6CA6915928915CBC98A74C3DF06446E2EC95C36FFA02D497EAC0CD8544C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.997{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.993{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.989{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.981{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.978{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.976{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.963{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 354300x8000000000000000237348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:29.328{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52267-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000237347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.920{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.868{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.852{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000237340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.844{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B61C67F9D854A7A18A01111038944F,SHA256=5C3258D4F09AB7993A73CEE2A6992C110E3A1DC78F4E28CE9B57E25B60685B08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.837{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.827{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.818{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.815{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000357539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:31.877{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1C3C7005E763A919B0828123468288,SHA256=F6E3BB3439B0C58CA3B1FA0CB7847B22AE14A0B157C2CB1DA0E684F6D2F28CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:31.530{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=18AD229D51AFF8E8B427AAE392D2F524,SHA256=842E48C5526153569133179A7190C932E8D48E5DEEFFD5D971DAFC94354D6BEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:31.438{30B46F62-7C0B-6352-D707-000000008B02}12086236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:31.269{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C0B-6352-D707-000000008B02}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:31.269{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:31.269{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:31.269{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:31.269{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:31.269{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7C0B-6352-D707-000000008B02}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:31.269{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C0B-6352-D707-000000008B02}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:31.270{30B46F62-7C0B-6352-D707-000000008B02}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:32.994{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:32.986{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:32.970{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF691E041B2CD25B1F79206E2171050,SHA256=DD85F191AF1986C123E84E8544F4AC5AB8914EF0747E0CD7AD7E8029EAB3F5CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:32.015{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:32.013{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:32.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:32.007{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:32.006{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:32.000{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:31.999{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000237368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:33.268{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F368F148406B22A9B56C282D3B144DBE,SHA256=776E32197788FEDF7E213A72C7F7DA23BF72BCB3A1E73258610804F14D880E03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.882{30B46F62-7C0D-6352-D807-000000008B02}33563836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.864{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C0D-6352-D807-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.863{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C0D-6352-D807-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.863{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C0D-6352-D807-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.863{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C0D-6352-D807-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.863{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C0D-6352-D807-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.863{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C0D-6352-D807-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.674{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C0D-6352-D807-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.674{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.674{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.674{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.674{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.674{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7C0D-6352-D807-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.674{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C0D-6352-D807-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.675{30B46F62-7C0D-6352-D807-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:34.364{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-214MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:34.039{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B59645FAEE95E06E7F3969FCE6F827,SHA256=8D355935934C69C668E1F540677FA5B54DE18E92A22F65B43E8B47DB742C73BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.960{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C0E-6352-DA07-000000008B02}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.960{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.960{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.960{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.960{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.960{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C0E-6352-DA07-000000008B02}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.960{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C0E-6352-DA07-000000008B02}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.962{30B46F62-7C0E-6352-DA07-000000008B02}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000357569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:32.604{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59899-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000357568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.736{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F65811828D10D6AD2A8EB6927052EFD4,SHA256=31BE37C26F6F9D2201A9CC870BF05F03532AB94EA0F6C88E1148CE1105E8D077,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.520{30B46F62-7C0E-6352-D907-000000008B02}64369632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.336{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C0E-6352-D907-000000008B02}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.336{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.336{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.336{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.336{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.336{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7C0E-6352-D907-000000008B02}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.336{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C0E-6352-D907-000000008B02}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000357559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.337{30B46F62-7C0E-6352-D907-000000008B02}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000357558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:30.712{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59898-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:34.090{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AEFC5CAEBA82217A4D06D2F6BFB11A,SHA256=35BBAEA1839C41CC0CF18930EC773D06E837B3A3793761D3A5A86C80B580713F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:35.370{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-215MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:35.120{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2205A4E323FA644E312069C6D67A4FC2,SHA256=0FBBF089AAB36840F432D3E5FF6AE49E852FA71485812E303D2FDE7A4339F3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:35.191{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F989B4487238689A3B6455430A9434E5,SHA256=A0BE45FA281A943ADFDE2958895CF5F8F750586BC8F220259B9651C93F6986A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:32.224{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52268-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000237374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:36.207{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081F769EBE98EA6A8AC42ED796F222E8,SHA256=4B1158C6B783340F31599C3DAC0FE28ADBB10919DD1841210AD19F564A904C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:36.292{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C183E250A397D50F59335F0780C76448,SHA256=F52BC0F88A97EC2FF5690764D8E28B6FD18909B02EE165562357CBB8FBE6548E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.239{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59900-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000357579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:33.239{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59900-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000357582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:37.410{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD0C8B7B9F79BAF7643BC2267413F20,SHA256=DC96420A3D5B6ECE92B1B690F6CA61D3927D8B0532BB7F66F06F3C1A64B98922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:37.280{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE15B0433BAE486EAF23BB7F87EE3C6D,SHA256=9DE575B9F3A062A7F16E9A90D5FF36FE49A025F9A51C16A8FA84045C3532D6F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:34.498{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52269-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:38.478{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB16996AA316A71E64D82A620919BA1,SHA256=44ED283F0968E8043264FD62402B53C3A334CEA7820F7D861BEB7086199C62DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:38.382{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A1F17C3FBDDF52FCDDAA29FE44BC26,SHA256=9933233015B563A8A7247361FDEB35EF0B05C74FB8AC9B37D8DF2F625373AE1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:35.826{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59901-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:39.564{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1B2C97770EE365AF8B05A1BEF2A3D0,SHA256=5479DEAF9E399A4CBB855370352869B45C92F1F1FD0012ADC8AA3D313627AE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:39.461{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EB70C6706ABAF7805F2F0D88F1B1F0,SHA256=182275FA36C879C873EC7D105AD57A4E85C9DC9CF273A4992D22D2CCAFDBCE69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:40.667{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907379BC351B11B739F3E62296EE1704,SHA256=B2968C8ED31F9E62972437F340AFC7DE167CA85C897CEF26C29B86880E74E11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:40.538{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9966E048BD9E1EE7B69CF02DF981F9AD,SHA256=6981DCD8C7A4CDBF9B6D55FCEE531D27F31DAC404C0096383BD9F83B6A1B8E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:41.818{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868848163A3A7F2D1E5B384859C82BBF,SHA256=0CCF0EB5D94ADF5F2B1F0D37EF3D0BA77D0AFCAA212D0975636C0283A83C5777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:41.624{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76DDEC2C46EEB7029AC4E7697ACB813,SHA256=1D6ABE1F02CF0E04C9915A84B3C6008342EEB4E380243DE2773C93CCE56FDDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:41.345{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=72DB83C61603B5FDE16E89D23F79F8EE,SHA256=F7D6D96025859415AB0C7821D991D576923A67DCC7839468FE6D835EABEC7407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:42.903{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53303618BDF9408C1AF88F1032EE3B7F,SHA256=961C0A3B5521B86AB3FBEC77529CBF66743AAE53041D84800BAB8276CCD1D598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:42.685{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4D8B842F20E940FBE03546B1930BB3,SHA256=0F1292D7506D5E612D642EABAAF50DCD12C347A72F61E4A79B129C0323C25A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.973{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263887BAE4EB00E69A1C795FE03F5231,SHA256=A4F41768A8A5968D9E4A860ECE46F6EA9D0BDE043E7F0A49357EBD405F214D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:43.760{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31045D55A07E70E8331BE8C05F92A29D,SHA256=E044B1F961EFD3931E2B90E27D93D43A5CD47DD04AA22455A2143F4FB86DE834,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.826{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.819{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.816{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.808{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.806{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.799{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.792{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.789{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.787{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.785{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.778{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.771{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.756{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.745{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.723{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.714{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.675{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.661{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.652{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.641{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.626{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.561{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:43.556{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 354300x8000000000000000357590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:41.781{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59902-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000237382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:40.487{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52270-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:44.856{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBAC0E941131ED717CAC43B8C8F98BA,SHA256=B5D25667157B711C97F0F6EA5F63F93DF5A5E7F1BC0D47F3274E3CF4E85AE4D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:44.229{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:44.226{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000237399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.946{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30ED266E1179B9CDD0567FB667F6B97,SHA256=8C57A5227E0D8C9CF9919D3D5E76F84E5D959C32C46B9E82B9009E4422C90CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:45.025{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C58E555512B030D7CE5927E3081C4F,SHA256=1C2CBE6143A4F1F20974C71C050486100C9A710DA365362323A915BAE34AC9B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.712{EFF5EEA8-7C19-6352-9F06-000000008C02}500708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C19-6352-9F06-000000008C02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7C19-6352-9F06-000000008C02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C19-6352-9F06-000000008C02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:45.556{EFF5EEA8-7C19-6352-9F06-000000008C02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000357647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.979{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.975{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.970{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.967{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.964{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.961{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.947{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.898{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.897{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.894{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.875{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.866{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.840{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.826{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.812{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.806{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.801{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.798{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.796{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.795{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.793{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.793{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.280{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.278{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.276{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000357622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.125{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-214MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.075{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500E28343FFCCABE9FEDF372B35791C9,SHA256=9A63D04F58557F9FA1A3BC1CA431F2C7AAA54F8281B0C4855F15F5899F87BCD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C1A-6352-A106-000000008C02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7C1A-6352-A106-000000008C02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.871{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C1A-6352-A106-000000008C02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.872{EFF5EEA8-7C1A-6352-A106-000000008C02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.621{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9996BB3E93AAFE4875AD33EDCFBB4856,SHA256=041114BF319349F5004AEA94F499924BA7FE536B41888065110829667E7594D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.379{EFF5EEA8-7C1A-6352-A006-000000008C02}40281164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.379{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1A-6352-A006-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.379{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1A-6352-A006-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.378{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1A-6352-A006-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.378{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1A-6352-A006-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.378{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1A-6352-A006-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.378{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1A-6352-A006-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 23542300x8000000000000000237413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.349{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6D3733189466A2B277FF6D4ADE54ED79,SHA256=CA5A0FD1080A5385A0EA7D8697A4F20D20228F2C7ED958E0C7D7246482ED1D2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C1A-6352-A006-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7C1A-6352-A006-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.198{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C1A-6352-A006-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.199{EFF5EEA8-7C1A-6352-A006-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000357620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.052{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000357619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.052{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000357618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:46.052{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFca2796.TMPMD5=A4670CABC14D7551C56556724DDE58F1,SHA256=5AA750D72DC98C3B2F0FD3674D91BD9CF2CE599A23918CA948117F1E8D66A72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.353{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66AB570DA2E644C59C1493E31AB468C,SHA256=BF324D2B9FB27084B7667D4157D881C4CF233392220DED5AA6142066EB8ED2EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.123{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-215MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.090{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.086{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.084{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.082{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.079{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.077{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000237448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C1B-6352-A206-000000008C02}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7C1B-6352-A206-000000008C02}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.555{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C1B-6352-A206-000000008C02}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.556{EFF5EEA8-7C1B-6352-A206-000000008C02}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:47.302{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5024B79ED16ABD9CC3BCFE51AFF5505B,SHA256=0076A17B511E9ED6D471AA79E166383318F9F7BAB4829FBA9F5510EC998524D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.074{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.072{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.069{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.067{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.065{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.062{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.059{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.057{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.054{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.051{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.048{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.045{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.041{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.038{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.036{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.033{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.028{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.025{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.021{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.017{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.015{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.014{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000357648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.011{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000357679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:48.177{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1798F9A67D380E6C09ABE04A66011AC,SHA256=A3ACD3B6F3AAFF4C10F6D977C9D3DC045B8D173F3EB071F1201BA01CE9A5CF1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.889{EFF5EEA8-7C1C-6352-A406-000000008C02}3920492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C1C-6352-A406-000000008C02}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7C1C-6352-A406-000000008C02}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.717{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C1C-6352-A406-000000008C02}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.718{EFF5EEA8-7C1C-6352-A406-000000008C02}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.369{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52369FF7131C35E07517A5C14E221D28,SHA256=68983517C0BBCBF0FA94E93CDC48DDC6B3E8666D23B57B07222FB0012828C1CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:46.291{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52271-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000237462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.211{EFF5EEA8-7C1C-6352-A306-000000008C02}34003508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C1C-6352-A306-000000008C02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7C1C-6352-A306-000000008C02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.055{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C1C-6352-A306-000000008C02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:48.056{EFF5EEA8-7C1C-6352-A306-000000008C02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000357680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:49.281{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15503820BFB9F5E28129B9D38823B396,SHA256=BECFE841BACC2A6CAA1CE13FFAE2FB44FEE98E34EA18AE05F0DCB3C41C08D603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.730{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D18BB8C2834B2706FF2A51C3BE3F5BC5,SHA256=147C0915B6F7E37EE0CB0D18C27CE3E40728506210CCDB27228B7622479EACF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.465{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C500C4C66D45795F70EC20015CAA2711,SHA256=F951101517BAC31A973B97843E1030733D98EA3697F919E2FE145D78AAE479C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.391{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1D-6352-A506-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.391{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1D-6352-A506-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.391{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1D-6352-A506-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.391{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1D-6352-A506-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.390{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1D-6352-A506-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.390{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7C1D-6352-A506-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000237491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C1D-6352-A506-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7C1D-6352-A506-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.234{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C1D-6352-A506-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:49.235{EFF5EEA8-7C1D-6352-A506-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000357682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:50.382{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1691FE20124D60F674703255DF445F4D,SHA256=A6B4C44310B79E29FAACD05A3B356041F5EBAB457417501FD7521ABC6661AD6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:47.710{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59903-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:50.420{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B976B4106B8685AB726F73083BCDFBAD,SHA256=8843729326E16D21F10C51AC5A58B21930FD2E5271F381188DDA64934709F319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:51.398{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C10AD1B521DA523D9EC64D3BA95A8FA,SHA256=98C3729A116B7D4B1EC730A741FDCD8ED0D48EFC183BCE5A0A5E77DBAFBDC04E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.998{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.994{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.990{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.980{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.977{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.975{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.965{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.963{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.947{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.934{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.925{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.917{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.908{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.895{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.864{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.856{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.847{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.839{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.830{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.822{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.819{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 23542300x8000000000000000237501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.498{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E6E2F88CC37D8251D90B7AFF3E3E3E,SHA256=6935013700114BB045D7E83C92C0AD3F13B9000E06C002E7800E144A126E8BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:52.829{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF110BE82FBFDAD0E960409E783210B,SHA256=8714E9C660447A4FCE166B6376043CF041DE26D6F6A0A415808F5EF597EBAE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:52.484{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6889E5EDC0EE2A5AC4100BCDC7FFCAB,SHA256=4D62ADA9AFD38E6A4E732669513923F02C2CF3EEE24E0F22AC34AAC5DBDA118E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:52.017{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:52.013{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:52.011{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:52.009{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:52.007{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:52.005{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:52.003{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:52.001{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 23542300x8000000000000000237532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:53.889{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F302131DA51C2F9A28FBEB5154156C26,SHA256=7B5E4D8F07670941DDDD6D6E0EAB19DFDFEF96B7E890931DE05E0BE6FED19E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:53.564{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4036BC809F3D398BEB95DA7EEB9DF60E,SHA256=32C67811B48AAC20EC5383CD1BA3D5D833E3D241001E6BC92001AC0BF03E11A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:54.975{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923955415841BDCE152A39B251EC8B3C,SHA256=27FE26366F67FA128DEB1B5B7697DC62D8E17E6F14AA9AF1AF35BF90BCEAE96E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:54.985{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000357689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:54.870{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:54.862{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000357687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:54.686{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6368BEE22CCEE6AC4DF7B8EF1D60EB8,SHA256=1E1AE18BBF793344D1A6B7E4981699910E8C79EF9D0381F5EB82EBD500F6AFB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:52.810{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59904-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000237533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:51.411{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52272-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:55.907{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9923158D4C6347BB1D820459439BAA3,SHA256=A4AC50EA34BFC60E619105DCB6A44CBD62A5EF207248EFB687F8921B392A3812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:55.649{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE88F4644C479CF43E950488D3B4A148,SHA256=23611B574A0548BC9AC7CEFE3E7435134BAD7407AF85F66CC2843217744F74FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:56.722{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED9D82A6C449B7544AA2CD16A4C7B5B,SHA256=ADC31F5297435FC9168F3A782209FB3414B39E78CFE0F706CB9549C2557A44D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:56.056{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CE4F62142BCA121F1C87E72659EE93,SHA256=F207806858F1C0E7F78569DF61D58D093804E557099FEFE698ABF285B657AF01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:54.500{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59905-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000357693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:54.499{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59905-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000357700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:57.742{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C1069D012D96487AEED05F9C50C9EA,SHA256=DFD1D849155166F7A40D63AFD4315F5C054045FA6BA7296B62D2AFF997894C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:57.142{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46B27F11AC8BDB82286ACEBA6732A4B,SHA256=9041163CB21A5F2AD158FDABA4B999B782740F090DFCC52D28AD9CD01178C911,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:54.623{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59907-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000357698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:54.623{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59907-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000357697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:54.516{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59906-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000357696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:54.516{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59906-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000357707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:58.829{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B92A733BDD1AE89F22EF9AF6B0EC6B2,SHA256=CDD5365F377E6D53C81C3237E6EC34DC0DDB82918404C36828B6589B0BC02CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:58.224{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F974228210368D04DEC895DD93CE89,SHA256=7F9B876302DD47FD96F47022557771B8570AF0314E0FAB4A5E43690EDF9303D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:58.303{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:58.303{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:58.301{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:58.301{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:58.296{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:58.293{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000237539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:57.423{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52273-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:01:59.303{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F3A37E523CF5C31A25FDCC0633B1F2,SHA256=8A393CAEFAD0C048131482420C0472298B183BAF69227372193805D7AE522587,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.710{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.710{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.710{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.710{30B46F62-48CF-6352-9A00-000000008B02}48049620C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.710{30B46F62-48CF-6352-9A00-000000008B02}48049620C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.710{30B46F62-48CF-6352-9A00-000000008B02}48049620C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.710{30B46F62-48CF-6352-9A00-000000008B02}48049620C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.695{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.695{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.695{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.679{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.679{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.679{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.679{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.595{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485C-6352-0A00-000000008B02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.595{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.595{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.579{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+768f3|C:\Windows\system32\lsasrv.dll+76af6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.579{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.579{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.579{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.579{30B46F62-485E-6352-1000-000000008B02}3081312C:\Windows\system32\svchost.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.579{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.556{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.556{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.556{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.556{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.556{30B46F62-48CD-6352-8900-000000008B02}3116760C:\Windows\system32\csrss.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.556{30B46F62-48CF-6352-9A00-000000008B02}48046064C:\Windows\Explorer.EXE{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+565f|C:\Program Files\7-Zip\7-zip.dll+9070|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+f1c4f|C:\Windows\System32\SHELL32.dll+aefce|C:\Windows\System32\SHELL32.dll+1665ec|C:\Windows\System32\SHELL32.dll+199ac0|C:\Windows\System32\SHELL32.dll+284693|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+166890|C:\Windows\System32\SHELL32.dll+163c6e|C:\Windows\System32\SHELL32.dll+e5211|C:\Windows\System32\SHELL32.dll+e80f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000357708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:59.554{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe22.017-Zip File Manager7-ZipIgor Pavlov7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Administrator\Downloads\9887e7a708b4fc3a91114f78ebfd8dcc2d5149fd9c3657872056ca3e5087626d.zip"C:\Windows\system32\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=D36DECEEB4C9645AAB2DED86608D090B,SHA256=018D74FF917692124DEE0A8A7E6302AECD219D79B049AD95F2F4EEDEA41B4A45,IMPHASH=3B2AD7C424FBD96489E02FA44B3D6025{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000237540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:00.388{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18102280C41D646B5B0D0A949C6AEFDD,SHA256=B272A963D9329569AFDAA3BF8B30E55AA43A0F161E0CF609CE823FA8FD1C1325,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:01:58.705{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59908-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000357749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.439{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485C-6352-0A00-000000008B02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.438{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485C-6352-0A00-000000008B02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.438{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485C-6352-0A00-000000008B02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.434{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485C-6352-0A00-000000008B02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.424{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000357744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.390{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.390{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.390{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.345{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.345{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.345{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C27-6352-DB07-000000008B02}10136C:\Program Files\7-Zip\7zFM.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000357738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.344{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64E6D71A9F523A583C974F3A2DBBDEC,SHA256=907903C8A09788B8CE70F8469020894647F04F25926A898C06C88197DEB65E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:01.452{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F100F449DC1DFFB32A5A8FDA37900F18,SHA256=80FD62AEDD94C8C28559872E45DB73869F4DD9410A6B67683A931D5E32B979A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:01.596{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=546112F27C37B10ADFEE675A5681904F,SHA256=64ACBDF9A1CDBE60A1C3F3C8C42A4B5F80CCC265D97EAE2DA3FD301D491A7C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:01.473{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E432361F2C565463BC90059BCF2A4B3,SHA256=59C02AE1538399D80217FBBB826F276CB268A55C63127164734B592AAD9FA006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:02.525{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344DC2132E84E4F2C1F4E979BFEEA2D3,SHA256=BEBF2F008851C94808C49366B662802A06DA5C148AEBD7D69AA0DE099FECC8D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:02.627{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:02.627{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:02.627{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:02.627{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:02.611{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:02.611{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000357755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:02.511{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1A7776E052E03D18E5C1C6D8236610,SHA256=85D79A8DAFC584C5E7629477A9E13C849A8ED36D09372A3CCABC50C1CD2626F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.057{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59909-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000357753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:00.057{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59909-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 23542300x8000000000000000237543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:03.600{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4554407C0FA7856AFC2CA55551A6AB92,SHA256=D5C92C670EF474CAB1A418A25BBCCA98B1AF93CCDF154BD0857771FC3CCC285C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.969{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=02C3B36CB36A1BDA961601985EF1D800,SHA256=5F31EED8121AF64043D3366419EBE7BD777331096A36C1541D21E3545D5FA39D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.842{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.833{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.831{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.821{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.821{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.814{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.807{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.804{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.802{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.800{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.794{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.787{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.767{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.754{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.740{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.724{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.674{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.654{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.643{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.622{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.604{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.546{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.544{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000357762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.531{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC980C5DA8C838A2D7C9BC2403760ABA,SHA256=51639573C6769093FE68E2A6DE8F15F22DBDE4E011F4DBF37623FB15858ABE65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:04.657{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A1B2555E36736AACEC68048CC5AD69,SHA256=2A96B0E2265486059A31DDBE262BAA61A142C153DCE23DBB6897B3603B463147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:04.682{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B52EE36B29757A0D6E5D02CC54FF3C,SHA256=AD1E408A0F7FCDDED2D155B2865BF8E757082435AB6E3A323DD02CC855CE5902,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:04.337{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:04.334{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000357825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.849{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D08D86BA95215C50E61C9A634E450ED,SHA256=966EAD0616DBBE306FA0E2A6A3B2706C127EBC865D3241D9C5892C9F4C69DD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:05.952{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C68B159ED57BDD33B13153EC40584F3C,SHA256=F5877C0B55D6FF93C5E38D5FDE8CAB2A08DB1D59C62CEDF12D0448D823FFF5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:05.780{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D94FCCC0548191C7CDC597E3F5DE2D,SHA256=165DF8701241A7DB24E0B36122EB52D2B85B9FCF447D3BDCA3845AC4A855FA9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:03.812{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59910-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000357823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.450{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.450{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.450{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.449{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.449{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.449{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.299{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.261{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.261{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.261{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.261{30B46F62-48CF-6352-9A00-000000008B02}48049620C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.261{30B46F62-48CF-6352-9A00-000000008B02}48049620C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.261{30B46F62-48CF-6352-9A00-000000008B02}48049620C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.261{30B46F62-48CF-6352-9A00-000000008B02}48049620C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.257{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.255{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.254{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.253{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.253{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.253{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000357803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localDownloads2022-10-21 11:02:05.215{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\9887e7a708b4fc3a91114f78ebfd8dcc2d5149fd9c3657872056ca3e5087626d.iso2022-10-21 11:02:05.215 10341000x8000000000000000357802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.199{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.199{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.199{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.199{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.199{30B46F62-485E-6352-1000-000000008B02}3081312C:\Windows\system32\svchost.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.199{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.184{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.184{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.184{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.184{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.184{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.184{30B46F62-48CF-6352-9A00-000000008B02}48046064C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+f1c4f|C:\Windows\System32\SHELL32.dll+aefce|C:\Windows\System32\SHELL32.dll+1665ec|C:\Windows\System32\SHELL32.dll+199ac0|C:\Windows\System32\SHELL32.dll+284693|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+166890|C:\Windows\System32\SHELL32.dll+163c6e|C:\Windows\System32\SHELL32.dll+e5211|C:\Windows\System32\SHELL32.dll+e80f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x8000000000000000357790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:05.186{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Administrator\Downloads\" -an -ai#7zMap6916:206:7zEvent26760C:\Windows\system32\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000237548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:06.861{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2C6A9AEC7C660F154DAEE1F4ECCA26,SHA256=24A82CB997EEB5EC3F93101D0D8E22181FFB6C56DD93B4F4688EE04820EDE212,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.996{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.984{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.953{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.945{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.936{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.930{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.928{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.925{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.922{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.921{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.919{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000357831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.919{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89AF5F004C4A2D1EB75022487E12C28,SHA256=F6741755F4DD507D42EB188E5728FF80DE60B3D9289F1CF285C3447F428AE6E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.917{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.404{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.403{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.400{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000357826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.200{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67524C9B795E9C901A5407709163CC63,SHA256=FA7878D457BEF08C3200C76706D944C899455C4B993581A37A75524AA19563D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:03.460{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52274-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:07.941{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B10B0B27A90DDAAC01FA7C75AA8E3869,SHA256=CD578710266DD5288DD70E73CE7A8CAD51FD8707FF05E26385B8BE0DECDC1603,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.518{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.518{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.518{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-7C2D-6352-DC07-000000008B02}8176C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000357882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.378{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9002F941B19E37AFEE62075CB400196F,SHA256=109F888F56CFB2A57ECA51892D857F3BDB65C0FB40DFD62822A17F517635829F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.191{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.187{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.184{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.181{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.178{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.176{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.173{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.171{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.169{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.166{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.164{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.161{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.159{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.156{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.154{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.151{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.146{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.140{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.137{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.128{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.125{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.122{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.119{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.117{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.113{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.110{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.108{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.107{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.107{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.086{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.083{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.078{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.075{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.073{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.071{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.060{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.016{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.015{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000357843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:07.012{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 354300x8000000000000000357887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:06.987{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.205.25.54ec2-34-205-25-54.compute-1.amazonaws.com53142-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local3389ms-wbt-server 23542300x8000000000000000357886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:08.032{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC59FB2377F89F7AA9278F5A2FAE4D5,SHA256=912D738ABAE23DACABD95F4DEDBBE228BB9F7B266EB7FBEE0C0E66C27D50E05B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:07.122{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-58269-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000237550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:09.042{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F9ED080C7E3DE889B68F1B549BF6CF,SHA256=1AF43B55BEA140384D0258594DCA64022B991F31998BA2C39F633A845286970E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:09.177{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF557B30C9B2CBFEE78E6C0C7CD5EA56,SHA256=65F41E132B849CA964CDCAAAD4B123F8A1357532E732417CDFC8785730EB1F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:10.142{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC58082427C1BC1466BDEA4F7902FA0,SHA256=5F2E5A6A404F72E3DD887022AB2CC665B62CFDF540AD6992A2705836AA9FF2D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:10.200{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B342FA5ED33D7308156007DAA1F5E0B7,SHA256=57130670A7E169CEEFBEF6DE4A104220D1AFFF0604F984EEC3BB0EA791CD7B8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.996{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.989{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.981{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.956{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.901{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.858{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 354300x8000000000000000237554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:09.467{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52275-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:11.318{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A6C1AB7792E1281F2A06B1B54C6D11,SHA256=4FBF173E0FD9810D539A729D9BD1DE2AB30A45C485EE5148CA30D975472C4CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:09.649{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59911-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:11.747{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD5C097815E0EB5B27E8B9251C6E0D4F,SHA256=7380BEA2FF6C9D5B503A05073C0F0342A96D3A6D483A2853BDBE01578AA9975E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:11.247{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFE96B55F1A13417351B980CEF77617,SHA256=844BF5E986D45B57969649305F3C284A2A3CC61B8B39CA64372673E3937477AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.570{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3466903556738B7851B2B887C366BD,SHA256=2F42BFC3A8AAEBE7DE6F378BFCCCE6A449E6A9A353460574A64D37AD066E7BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:12.282{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4014083FAC54DB09AC91AF9C61EF35D,SHA256=D91C2B1B13D172046804689B9B1813412F5436FDC55474EDCCB03E30EABB7194,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.058{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.055{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.052{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.048{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.048{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.045{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.044{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.043{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.041{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.038{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.034{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.025{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.022{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.021{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.014{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:12.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000237585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:13.697{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C339550E01607869A2497E2ED95892FF,SHA256=2F9A23A15D1B414D3ACBB64A7C57D4D13A08414038F69A406FCEE0ADF2E9F582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:13.313{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA7AA9BAD66B0A81332DA6489087BC4,SHA256=4BCF528428457F6899958F5E04E0B06FF1C323B53F0BC304D05EBC905842B078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:14.776{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE94F403E64C9C524A405F034EC18B9,SHA256=01847C5B4425A26E481B963BA08B77AF65430F34B53AF80FD0CF52CEC88916C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:14.345{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4357A81EB43549520D18721CE520DCA,SHA256=492D29097DDE60F21BBEE7FADBABC4BDE7950B5572F4F2AE7713E99433A5FE4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:14.418{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:15.846{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B030ADC5524C8C85D807D33F0C3CE8BA,SHA256=3DBE19E1D0749E6BD469EBCCA9AD8C9538E26CADD4CDFC0905975A72FF4DAFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:15.496{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BF29A218A476EC00BCBF85F4A9F119,SHA256=F4412E0BEADF6D419958004C3F7F079D302DE0592FE3FC1E6644CCFA8E66C5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:15.571{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB288069CE95888D436A58D770CEB85C,SHA256=A4AFF93B7321D5E9B6137840DE89EB06E6178E5AEC4ACEDC99DC123473F8FC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:16.919{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308F176888ABA3824BB64978AC54541D,SHA256=AE10CEE3EBB72EADB0512501012BF29632FB4FA45FAC7DCC49E8684A4CBE4CCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000357898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:14.830{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59912-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000357897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:16.614{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8949CD1F6B74D496994DC82766364C95,SHA256=4AA9466519B236F6BF67815AF3539834E60470E389C3FE933A2993540827639B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000357899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:17.726{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F651D0BA1B94DDA9E351B28E13ECCA,SHA256=02FC833CBAD2BFD4FC04E388A507BED2130F36A2EA87A525D3B517C6EE8A2F1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.956{30B46F62-485E-6352-1000-000000008B02}3081312C:\Windows\system32\svchost.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.956{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.956{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.954{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.952{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.952{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.942{30B46F62-48CF-6352-9000-000000008B02}42525680C:\Windows\System32\RuntimeBroker.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+3d2fb|C:\Windows\System32\combase.dll+3e912|C:\Windows\System32\combase.dll+63ce3|C:\Windows\System32\combase.dll+3ea2d|C:\Windows\System32\combase.dll+6212c|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000357910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.942{30B46F62-48CF-6352-9000-000000008B02}42525680C:\Windows\System32\RuntimeBroker.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+3d2fb|C:\Windows\System32\combase.dll+3e912|C:\Windows\System32\combase.dll+63ce3|C:\Windows\System32\combase.dll+3ea2d|C:\Windows\System32\combase.dll+6212c|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000357909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.894{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-7C3A-6352-DD07-000000008B02}7652C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000357908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.894{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C13949326CCDB576A290C36ABDD132E3,SHA256=6738D59DB28FB8A44FA8FC87EBD00309756EDA35E5BA00A66644C343B722AFA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.879{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C3A-6352-DD07-000000008B02}7652C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000357906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.879{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-7C3A-6352-DD07-000000008B02}7652C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.879{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.879{30B46F62-485E-6352-1000-000000008B02}3081312C:\Windows\system32\svchost.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+268c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.879{30B46F62-485E-6352-1000-000000008B02}3081312C:\Windows\system32\svchost.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000357902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.850{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Downloads.lnk2022-10-21 11:02:18.850 11241100x8000000000000000357901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.831{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\qbot_iso.iso.lnk2022-10-21 11:02:18.831 23542300x8000000000000000357900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:18.794{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5499E9FDC49934DBF7C376C6D485C9A6,SHA256=8DEF55232701FF8E75545719928330979E2D077655788E7FFFA9973C5CB741DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:15.353{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52276-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:17.999{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6AAB9AD3961C3ACA29CB6325F9983C,SHA256=E3F5FD1EBE2F88D64A3952F5593CC706176ABE3ED25A28188B75DFC1944DFC59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:19.953{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4472E0938F103AA8B43678D132DBFE85,SHA256=B5EEBA531489E10DAC3381A7A60DF0A3A9A15C1204F9ED09042E83F612D3F6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:19.092{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D393C1C02B907E397529F7BD4E651970,SHA256=0BE93AAD6B99C18EDD2158D1038A1A7E93B9393622AB17D1F023029080C85F31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.999{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.995{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.994{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.994{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.989{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.983{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.982{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.981{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.981{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.981{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.981{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.851{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0800-000000008B02}492C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.851{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0800-000000008B02}492C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.849{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0500-000000008B02}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.849{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0500-000000008B02}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.848{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.848{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.848{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.847{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.847{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.845{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.844{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.844{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.844{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.844{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.843{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.842{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.842{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.842{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.842{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.841{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.841{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.833{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.833{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.832{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.832{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.831{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.831{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.825{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.824{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.823{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.823{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.822{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.822{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.817{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.816{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.815{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.815{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.815{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.814{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.805{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.804{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.803{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.802{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.800{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.800{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.788{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.787{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.787{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.787{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.786{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.786{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.783{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.783{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.783{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.782{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.782{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.782{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DE07-000000008B02}9732C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.777{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.776{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.775{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.775{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.775{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.775{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.769{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.768{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.767{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.767{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.767{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.767{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.731{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.730{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.730{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.730{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.730{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.729{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.720{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.720{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.719{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.719{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.719{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.719{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.717{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DD07-000000008B02}7652C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.717{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DD07-000000008B02}7652C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.717{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DD07-000000008B02}7652C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.716{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DD07-000000008B02}7652C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.716{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DD07-000000008B02}7652C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.716{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3A-6352-DD07-000000008B02}7652C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000357969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.714{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.713{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.713{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.713{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.712{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.712{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.708{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.707{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.706{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.706{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.706{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.706{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.699{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.699{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.698{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.698{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.698{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.697{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000357951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.510{30B46F62-485E-6352-1000-000000008B02}308NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\INF\nettun.PNFMD5=C4D57B963324EA0B92A756317224F4FD,SHA256=14B2071838317251E641BA15F27D998EADAA6619795662DC32234CF3664457BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.443{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.441{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.441{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.425{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.425{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.425{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.425{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.346{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.346{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.345{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.345{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.344{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.344{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.310{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.310{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.310{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.279{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000357933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.210{30B46F62-485E-6352-1000-000000008B02}308NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000357932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.194{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000357931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:19.109{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e53c-0x965ff7d8) 13241300x8000000000000000357930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:19.094{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x8000000000000000357929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:19.094{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000357928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:19.094{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\CountDWORD (0x00000001) 13241300x8000000000000000357927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:19.094{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Enum\0SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 13241300x8000000000000000357926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:19.094{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\cdrom\AutoRunAlwaysDisableBinary Data 13241300x8000000000000000357925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2022-10-21 11:02:19.094{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName@cdrom.inf,%%ISO_Generic_FriendlyName%%;Microsoft Virtual DVD-ROM 13241300x8000000000000000357924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localInvDB-DriverVerSetValue2022-10-21 11:02:19.094{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\0000\DriverVersion10.0.14393.5006 13241300x8000000000000000357923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:19.055{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000357922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:19.055{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Enum\CountDWORD (0x00000001) 13241300x8000000000000000357921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:19.055{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Enum\0{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01 13241300x8000000000000000357920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:19.055{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Parameters\PnpInterface\5DWORD (0x00000001) 13241300x8000000000000000357919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:19.055{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\vhdmp\Parameters\BusTypeDWORD (0x0000000f) 13241300x8000000000000000357918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localInvDB-DriverVerSetValue2022-10-21 11:02:19.055{30B46F62-485A-6352-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\DriverVersion10.0.14393.5291 23542300x8000000000000000358166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.852{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B8F0F3CDCD94C48F2F28A4715A6B7A,SHA256=57C539022BD2BFB302B73C5E6F094B1DC8CEEC8F65951013495603CF9773FE4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.843{30B46F62-485E-6352-1000-000000008B02}3081972C:\Windows\system32\svchost.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.842{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.842{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.842{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.842{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.841{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.841{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.841{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.836{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.830{30B46F62-48CD-6352-8900-000000008B02}3116760C:\Windows\system32\csrss.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.827{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.827{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:20.179{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9CB3DD28C478F947263915F33194A2,SHA256=819D204144D4798781A5A008C2C058EB170628FCEF813160894D77768B1B8173,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.806{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.806{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.806{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.805{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.804{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.804{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.410{30B46F62-485E-6352-1400-000000008B02}10442236C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.356{30B46F62-485E-6352-1400-000000008B02}10442236C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000358145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.343{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2FF0FA3C1D92B40B5F662EF08B6DE6,SHA256=E2CE3FF59162BE7E48AEA7D5E1AE162293EF6422E62AFCFFDEA41BD2F9E8CFF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.254{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.238{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000358113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6747111794591CECA757D8518E5C6E,SHA256=ABD9CC9E7F6AB8A79A45FBBF80A934BAAB892F35437E3FCFABDD52DEBCB15E7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.222{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.207{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.207{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.207{30B46F62-7C3C-6352-E007-000000008B02}64246404C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000358106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.207{30B46F62-7C3C-6352-E007-000000008B02}64246404C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x8000000000000000358105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.200{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16157B8D7C289E2FE65A6ECD2ED38B5B,SHA256=75B340390EEBA7DBDA239D6D1A9BC4205939B46895C5B519165389B030CF044A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.184{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA4F865F75C6023FAE366EE1F3788CA,SHA256=B3ED13AB0581D1B9D762463E5FCE76BF331E402BDD5B47EBE62DF4BC1DD530FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.184{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9591A78E192819268724D7120A21F23A,SHA256=E6BA82F3182E56077B2ECEC7FE49FFD4DB7A62C99343CACD86E728F5960A8738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.184{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AA8A14351603C3D8F47390F30C5ABE94,SHA256=4B46C11BCEE28693787A8ABCB8BDDAB9E17975E8C3CACA89473240DA05E5DDC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.087{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.074{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.074{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.073{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.073{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.073{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.073{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.070{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000358093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.060{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.049{30B46F62-485C-6352-0A00-000000008B02}6207068C:\Windows\system32\services.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.036{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.036{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.035{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.035{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.035{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.035{30B46F62-485C-6352-0A00-000000008B02}62010200C:\Windows\system32\services.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.033{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{30B46F62-485C-6352-0A00-000000008B02}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000358084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.030{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485C-6352-0A00-000000008B02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.030{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.030{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.030{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485C-6352-0A00-000000008B02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.017{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.016{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.016{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.016{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.015{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.015{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.009{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.008{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.007{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.007{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.007{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.007{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.000{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000358175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.970{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59913-false20.62.190.191-443https 354300x8000000000000000358174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:19.955{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62555- 23542300x8000000000000000358173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:21.884{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66237447D54C2C501E68B5639502DDF0,SHA256=173F062C9F7EEA67EFB667381287E029600E73A43D25D246CEE0D43C75D4BA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:21.254{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D1A09D6541A000BBB06148A0298E00,SHA256=AC7A10C744897F95315BCA971023F7C6914BF17D83BCE5251FB95543E2D9BF05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:21.731{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:21.731{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:21.730{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:21.730{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:21.730{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:21.729{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E107-000000008B02}4760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 354300x8000000000000000358180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:20.806{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59914-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000237598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:20.493{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52277-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:22.337{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F65FE519EC2C9FBA322E679E606308E,SHA256=B1A11FC56B66791A26A38832DD1EFDE84FF291BF36BA68B3EC7246EF0A80AC4E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000358179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localT1158SetValue2022-10-21 11:02:22.871{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHiddenDWORD (0x00000000) 13241300x8000000000000000358178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localT1158SetValue2022-10-21 11:02:22.871{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000000) 13241300x8000000000000000358177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localT1158SetValue2022-10-21 11:02:22.871{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000001) 23542300x8000000000000000358176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:22.186{30B46F62-485E-6352-1000-000000008B02}308NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Logs\WindowsUpdate\WindowsUpdate.20220209.234741.212.1.etlMD5=DCDD254CF9D61896786022A403808B48,SHA256=DE45C942AFBC105C84F7C9A8C9CC235DF99711EC841B13D6B871B9553684CD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.993{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBF8D4BE41F6E1CD02A09A662F14004,SHA256=382C6BD80451636BDB48EA15A51F9620FF4F0EF23918656024D80EC8FAC010FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:22.119{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62727- 354300x8000000000000000358210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:22.094{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59915-false184.31.203.241a184-31-203-241.deploy.static.akamaitechnologies.com80http 354300x8000000000000000358209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:22.052{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59938- 354300x8000000000000000358208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:21.543{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-51613-false127.0.0.1-53domain 354300x8000000000000000358207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:21.527{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51613- 354300x8000000000000000358206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:21.526{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98e0:61e6:2cd:ffff-51613-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000358205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:21.491{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51613- 23542300x8000000000000000237599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:23.414{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439594C8E2328CDD3B74131FE5D916C3,SHA256=3BC43B1E6AB467906BB48533F2EB3E66144DF34F773A119405FB52ABD9C9A25B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.740{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.736{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.733{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.727{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.726{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.720{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.714{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.711{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.704{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.702{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.696{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.691{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.679{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.673{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.663{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.654{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.617{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.608{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.601{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.594{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.588{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.554{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.552{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000358181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.013{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9602A2E8BB24DE50434871AF1C19E6,SHA256=B2022A4E0AE0DC08F691DCFB2808422F75C4659D954A73D63D91457E4F3BBCC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.193{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59919-false184.31.203.241a184-31-203-241.deploy.static.akamaitechnologies.com80http 354300x8000000000000000358218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:22.893{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59918-false184.31.203.241a184-31-203-241.deploy.static.akamaitechnologies.com80http 354300x8000000000000000358217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:22.614{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59917-false184.31.203.241a184-31-203-241.deploy.static.akamaitechnologies.com80http 354300x8000000000000000358216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:22.351{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59916-false168.63.250.82-80http 23542300x8000000000000000358215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:24.952{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6692B3D59C2B78D6F031F8E351C76335,SHA256=0AE9FD84A019F14CB65F2B1B26BFD4AC647D18CB2DB78E3E7267EEC836443C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:24.495{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82706CC025B3DA45915EE613096AE854,SHA256=25EFA0318ECFF42B6BF2063AB5A43BF3371C2374FF6B5BA1B02C1D564DC7CE51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:24.060{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:24.057{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 354300x8000000000000000358220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:23.497{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59210- 23542300x8000000000000000237602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:25.575{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25704A6CB7F5BEAF2CF4AC4293398FA,SHA256=1ACC3F2CF2EA9F9052E8E63D6595F8AF77D72F90C8973F592C904D660389D920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:25.343{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A86267DB71A35E1DA8B2E32FE9AABA35,SHA256=B148C240B88BA6AEC163D1912CA83F555BEBD55E1A63BD51F6E11959031FA5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:26.645{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A92D11C7E161A16A18F247D78FB0BC7,SHA256=ADCA3BC1BC4A96016192CBD3A0BE80EDDC2CD92AE7A98E9BD8184529524CE288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.947{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.945{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.940{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.934{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.929{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.923{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.916{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.911{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.900{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.894{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.890{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.884{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.880{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.873{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.870{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.867{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.864{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.861{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.857{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.850{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.847{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.844{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.841{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.837{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.835{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.832{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.827{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.821{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.818{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.817{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.816{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.799{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.796{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.783{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.769{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.764{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.760{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.749{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.709{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.707{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.704{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.685{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.676{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.650{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.644{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.635{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.624{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.623{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.620{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.618{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.617{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.615{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.614{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.090{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.089{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.087{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000358222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.064{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1FF15AA2FFBB08BBAB12986AF3CE7A,SHA256=88FFA4406A888718ADF5D9152C7B858D0EA0B13E7BF3855268B1FA62D8BFC1D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.017{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:27.730{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=902655C8BCA080CB7ED2AE5E799B5105,SHA256=3A831B1F12A2DCF5B8F4D0D2151635EF2E6F769A8B8652F1D1041D58C698B930,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:27.986{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:27.986{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:27.986{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:27.986{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:27.986{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C43-6352-E207-000000008B02}8916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:27.985{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C43-6352-E207-000000008B02}8916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:27.984{30B46F62-7C43-6352-E207-000000008B02}8916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:27.287{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D1D09BF9747F3842BD2D8415ADD497,SHA256=6E6A997BD0017DB6EBB7E4F17A3707CC5B807205CAF17B8B4ED183BC601CB98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:27.285{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB47CA1DC7E9A6110CB1F98A8A48A7C2,SHA256=D23EFCBB12216E6374445072E04DF20508912F46248A3194A58F276A843BA804,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:27.021{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000358280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:24.548{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63788- 354300x8000000000000000358279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:24.511{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63788- 23542300x8000000000000000237605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:28.817{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F6C309D1DA37B7713CB03862F7974E,SHA256=D338D19B76937A89974D998103311170AC5C1C349240CB59123E049EB0653607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:28.839{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D3A2DFA10300E49CB8479ECFC8106AD2,SHA256=25458604F43B215AB0F6DB49490512C2DFF76E37C539AC7E0B457DE03CE1ED97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:28.824{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C44-6352-E307-000000008B02}7900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:28.822{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:28.822{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:28.822{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:28.822{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:28.821{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7C44-6352-E307-000000008B02}7900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:28.821{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C44-6352-E307-000000008B02}7900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:28.669{30B46F62-7C44-6352-E307-000000008B02}7900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:28.091{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C9C07314E2FC8C4109B9B1471B92D67,SHA256=9F2C0D28E07463EE0618FBA90E6864268D65AD5B02D56D2FF2F18A6823B9FAFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:28.021{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C43-6352-E207-000000008B02}8916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000237607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:26.453{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52278-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:29.887{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11393F99FC150BDF3C3B236083459E60,SHA256=6BF86445276D2DE1453151F0C06CACE2A7B5DC7E6816E908C96E822AFC91BC72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:29.553{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C45-6352-E407-000000008B02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:29.553{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:29.553{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:29.553{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:29.553{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:29.553{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C45-6352-E407-000000008B02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:29.553{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C45-6352-E407-000000008B02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:29.554{30B46F62-7C45-6352-E407-000000008B02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:29.230{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EB4923AB183AB39F78C2071E780BEA,SHA256=92DC39F6627270B38C1498AB7AA18051C10CC17E4A9D069EF18BF72E91916482,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000358306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localInvDB-DriverVerSetValue2022-10-21 11:02:29.154{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe\REGISTRY\A\{ca1e367a-fdee-d52e-baac-2fc132c88f34}\Root\InventoryDevicePnp\scsi/cdrom&ven_msft&prod_virtual_dvd-rom/2&1f4adffe&0&000001\DriverVerVersion10.0.14393.5006 13241300x8000000000000000358305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localInvDB-DriverVerSetValue2022-10-21 11:02:29.138{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe\REGISTRY\A\{ca1e367a-fdee-d52e-baac-2fc132c88f34}\Root\InventoryDevicePnp\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}/msvhdhba/1&3030e83&0&01\DriverVerVersion10.0.14393.5291 354300x8000000000000000358304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:26.771{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59920-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000358303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:29.038{30B46F62-7C44-6352-E307-000000008B02}79007944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000358302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:29.008{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C95572334261213D6149C48B0D37CD8C,SHA256=81116BB6C1BE21A7763C8BE9DAC5B8122F19C9611A08857F0B2611F5DABBDDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:30.973{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970BD03CFFFAED965A806B4AF1FAF629,SHA256=5DABC2231D473EA822ED84F6659F03299EC1EE0B982E8FCB6944AF4780B8D521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.865{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=545A456E9FE8637BA989725C028B6604,SHA256=8A0002A6AC0589F34AB8279F1D18DAAAE5D39CB0045A322F6FA7C98A3E9B65C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.846{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.846{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.846{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.845{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.845{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.845{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.608{30B46F62-485E-6352-1000-000000008B02}3081312C:\Windows\system32\svchost.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.608{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.592{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.592{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.577{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.577{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-7C46-6352-E507-000000008B02}9672C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000358317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.379{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C38ABF042BFC07655D32B905475FE0,SHA256=588A049DB95F5C65666DB808F6FD2A550239D82A0EA7FBB5367E1FD35650AA52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:30.292{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.996{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.994{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.992{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.985{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.978{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000358340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:31.454{30B46F62-7C47-6352-E607-000000008B02}799210080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000358339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:31.377{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C664056BE6997DF7AB91777941078F,SHA256=C1D9AC96BE431C90B185D953F06FB917C59E24CEDE273DF273332C851F913EEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.952{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.879{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.873{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.859{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.852{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.844{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:31.828{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000358338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:31.277{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C47-6352-E607-000000008B02}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:31.277{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:31.277{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:31.277{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:31.277{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:31.277{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C47-6352-E607-000000008B02}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:31.277{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C47-6352-E607-000000008B02}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:31.278{30B46F62-7C47-6352-E607-000000008B02}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:32.408{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33DDE4C0C8218235773DC473E4DA704,SHA256=D1B23C4E0F5C1C28CEA0F9197F57FF53959484257452BF9528EBAC953A09425F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.033{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.031{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.028{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000237635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.028{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3BA8695AB7E7BB369F79C508F3907D,SHA256=AA8D2F17EF0F25CC550EEBC662A467D24D035AF593CB587F7CBC8F5B394F5EDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.024{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.021{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.020{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.019{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.017{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.015{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000237627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.011{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 13241300x8000000000000000358363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:33.953{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000358362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:33.937{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Config SourceDWORD (0x00000001) 13241300x8000000000000000358361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:02:33.937{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B51772D5-9883-4A2C-91E7-2B1355A0ACC3.XML 10341000x8000000000000000358360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.931{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.931{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.898{30B46F62-7C49-6352-E707-000000008B02}101729596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.849{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C49-6352-E707-000000008B02}10172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.849{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C49-6352-E707-000000008B02}10172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.849{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C49-6352-E707-000000008B02}10172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.849{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C49-6352-E707-000000008B02}10172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.848{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C49-6352-E707-000000008B02}10172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.848{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C49-6352-E707-000000008B02}10172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.691{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C49-6352-E707-000000008B02}10172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.691{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.691{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.691{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.691{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.691{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7C49-6352-E707-000000008B02}10172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.691{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C49-6352-E707-000000008B02}10172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.693{30B46F62-7C49-6352-E707-000000008B02}10172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.553{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFA3CB4D232FF3B875C975FF803CFB0,SHA256=7D988904695056055086DAE1E7B492F8E477175EA94296A17FDD042B76CD23FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:33.014{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1FD4B259E725200F90912E3FFF0969,SHA256=8A53901E6078E9A7144A2880997A0851988560F618EF3A82E0FA915C198486D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:33.014{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.008{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.955{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C4A-6352-E907-000000008B02}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.954{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.954{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.953{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.953{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000358384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.952{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6EB75A7F336398C40F78593425ED64,SHA256=0FDAF421EFB247D7921E7E973F104A63613BC0F3A12F9211402FBF370F998DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.952{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A688B34DA5AE076DD939D750E581088E,SHA256=61AF8CDC967C54012EE1D5F8438219A7B69D0C071990ED9583260C873A264ADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.927{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7C4A-6352-E907-000000008B02}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.927{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C4A-6352-E907-000000008B02}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.926{30B46F62-7C4A-6352-E907-000000008B02}8100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000358379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.258{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59923-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000358378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.258{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59923-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 10341000x8000000000000000358377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.791{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.791{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.791{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:34.109{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986793CD362B4F4AA2E13E6E7A89277F,SHA256=0C78DD4C507F6F171E4FD3EAF428B47DC5640574C36FD2710ED1FC5023F3075C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.560{30B46F62-7C4A-6352-E807-000000008B02}96527556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.376{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C4A-6352-E807-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.376{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.376{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.376{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.376{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.376{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C4A-6352-E807-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.376{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C4A-6352-E807-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.377{30B46F62-7C4A-6352-E807-000000008B02}9652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000358365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:32.743{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59922-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000358364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:32.627{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59921-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000237645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:35.885{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-215MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:35.174{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F431BC1CD4F17E7B2ED731FF2C0E61F8,SHA256=309DB9550FA587807FBC76330C1C53D4BCA0FC6289210A781B8568E224C69E79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:35.806{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:35.806{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:35.631{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:35.627{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:35.627{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000358391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.567{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59924-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000358390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.567{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59924-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000237643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.369{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52280-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000237642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:32.244{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52279-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000237647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:36.894{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-216MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:36.268{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE25A98D2E4B8F83AE5B05925ECD7D1,SHA256=A62254A64592A644F77F232B18E0A5075F5A3F626BCB80AD346374EA354DA783,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.426{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59925-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000358399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:34.426{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59925-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000358398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:33.590{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local58400-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000358397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:35.999{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B847F5FB421B4B83225FF520F44790F4,SHA256=F8037DB371A7D99B0417D0D88B1548941A92DAB2657A4F8B040C9C56A25050F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:37.337{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECDFFC3BEC3A427F5A0B65683B5991A,SHA256=0D93D9071D27A00A4EBB43343CD0561AF202A71D21B7C8BD6B26070326F49C4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.902{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C4D-6352-EA07-000000008B02}9460C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.902{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C4D-6352-EA07-000000008B02}9460C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.902{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C4D-6352-EA07-000000008B02}9460C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.900{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C4D-6352-EA07-000000008B02}9460C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.899{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C4D-6352-EA07-000000008B02}9460C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.899{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C4D-6352-EA07-000000008B02}9460C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000358417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.845{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.845{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.845{30B46F62-48CF-6352-9A00-000000008B02}48049624C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.716{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.716{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.716{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.716{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.569{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-7C4D-6352-EA07-000000008B02}9460C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.569{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.569{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.569{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.569{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.569{30B46F62-48CF-6352-9A00-000000008B02}48044740C:\Windows\Explorer.EXE{30B46F62-7C4D-6352-EA07-000000008B02}9460C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+f1c4f|C:\Windows\System32\SHELL32.dll+aefce|C:\Windows\System32\SHELL32.dll+1665ec|C:\Windows\System32\SHELL32.dll+199ac0|C:\Windows\System32\SHELL32.dll+284693|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+166890|C:\Windows\System32\SHELL32.dll+163c6e|C:\Windows\System32\SHELL32.dll+e5211|C:\Windows\System32\SHELL32.dll+e80f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000358404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.518{30B46F62-7C4D-6352-EA07-000000008B02}9460C:\Program Files\Notepad++\notepad++.exe8.45Notepad++Notepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=160E49FA853DB78E6148E9DC566D96D1,SHA256=5D7C97C8C0FC601CD232BFEE97F51DF83C0DC6519AE42ECF0D765E69EB56E1C3,IMPHASH=106BC08A539BA691222AAF2F52A2FC20{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000358403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:35.257{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59926-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000358402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:35.257{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59926-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000358401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.101{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51B14F2B481CC60120CAF1F9C1A9438,SHA256=1DC1E9E45C60932E0E55FB48852C43231393763E55034B3155A31DA9417C3BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:38.242{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA95F73EF8AA352D1DD6E62BBEE3CB8,SHA256=C16922C1B9495441F46BECF39B26C9945E2463A7B1F8093B9E6B8D13A51C574A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:38.519{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1511A132EDD36130ED7030867505D3CB,SHA256=E35241945D7D2F8A3EC84FD80BE9A6C1D549C01C412D9A738362AB6F985B9C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:39.338{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830CDD2282E50F17E5BF9C371AA20CFF,SHA256=F7A8B40022EDB1B426BD9E5F747751D6F00D6DC7A78245CE3AF406E85CFE3430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:39.602{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1809D3D469613FC588CCF2C86EC2DAFD,SHA256=DD7F9F795DBEA702C232A80849288C002E4B80E7982CB8B7BA728917B1CEFFF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:37.773{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59927-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:40.440{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AEBDD4E6495A45CA9EBACE75554F5E,SHA256=719DFF11BA5144388C5508A9CC8356EE5F4E27344A6DF4F186001289D5F1C095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:40.676{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDE014FE2067300671E3BA995953935,SHA256=944311B3821100640057C194D467A7AE0B4629689D7C97E4CF5897F08F70C3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:41.751{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4247AB43C06FA9588B5FB969F8F85C,SHA256=0DE606F7301161218D24EA862ECAB6AD8A1EB399085D01C26F734652DA0A99CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:41.474{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3AF77AC9C0BB1EB84D288754C7E24D4,SHA256=0CB193A16F5532BD44602409653E8EE98AC9F6D10B77B7CB779391DED03BB8C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:38.327{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52281-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:42.831{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230F79F10ED4082BD612389044F6792B,SHA256=106927E7C0E975EE183D4AF0CE7659978D68D1984BBA13A008916D0D7D66AEC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:42.505{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6A72E3D1949B726BD03883CAC12D7E,SHA256=750BB6C6B3BB3A768598C58B6AD72D1A46E20337EFDA63A30D066EC843B9306A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:43.878{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4957B0B0A6D820600863079D948D77C,SHA256=DED433D7B1D15D76B6863A6FEC14B3DC5258A8FAABC0CAE92349A7927F7139FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.787{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.780{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.776{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.768{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.766{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.758{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.752{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.748{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.746{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.744{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.737{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.731{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.717{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.708{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.697{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.687{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.639{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.623{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000358435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.621{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D612913982F017A4B47D807F34A9475C,SHA256=E7A6E867D1C02BE64CCC3ACA5089C16FECD82B1427732CC0A865C3E884C74DA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.614{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.593{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.582{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.540{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:43.537{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000237656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:44.963{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D98F905F1E22B252B190623E74F4C4D,SHA256=B784735E82E99E5881508AAB0087F8A7189E070450C1830F7E57AAD99F0B8D71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:44.592{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF017846C5085648F42138702CD82134,SHA256=432BB6A434F8CE0DDD1EB747D81BE33FB3B7227656B77F27E119E62D910343B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:42.839{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59928-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000358455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:44.204{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:44.201{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000358458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:45.678{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F990370BEE28134C338F181826D191E,SHA256=7FC88A14057CAA4FA823F85E49D75E6A054101057E4F8EDBC55DBF3A98B06648,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.764{EFF5EEA8-7C55-6352-A606-000000008C02}3080860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C55-6352-A606-000000008C02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7C55-6352-A606-000000008C02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.561{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C55-6352-A606-000000008C02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:45.562{EFF5EEA8-7C55-6352-A606-000000008C02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000237700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C56-6352-A806-000000008C02}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7C56-6352-A806-000000008C02}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.759{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C56-6352-A806-000000008C02}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.760{EFF5EEA8-7C56-6352-A806-000000008C02}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.665{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBCA4F3A93C8C68A7189CEABFB5FAA4D,SHA256=C038D02D1C6E5C79E7EC0EFB1B224CE6AB1CA5585A1504FA3CE3896F71FA1D22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.415{EFF5EEA8-7C56-6352-A706-000000008C02}9162152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.272{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B951F75DD8E63ED5207940C2F4BDAF8C,SHA256=DA0891C927F1DDDD09AE0CA6CE6EF0CBB20273AFD9632CCE4216E3581F4D7665,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.237{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C56-6352-A706-000000008C02}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.236{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.236{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.235{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.235{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.235{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.235{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.235{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.235{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.235{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.235{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7C56-6352-A706-000000008C02}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.234{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C56-6352-A706-000000008C02}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.234{EFF5EEA8-7C56-6352-A706-000000008C02}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:46.061{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CC5F9883D8600A3E591C2432EE5A1A,SHA256=C2F2D773AB4CA85D2CBD38FEFCE2E2EC787170C85AD88D24826236AFC677D909,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.990{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.984{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.975{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.972{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.968{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.961{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.941{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.886{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.884{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.881{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.863{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.852{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.791{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.781{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.768{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.764{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.758{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.755{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.753{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.752{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.748{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.747{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000358463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.709{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB85AABC9AA4392D14A1BE12783BCD1C,SHA256=2FD24F38DA1B1D4B68B6DE2E376758F2DEB8F8A9865A4BA4AC133C3C80FDDE45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.244{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.243{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.240{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000358459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:46.093{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\aborted-session-pingMD5=319EB3D631F1BF59CF1EEEA272F17EBD,SHA256=04D24008C06016527CE6283890C1C2B549160214173AE45A564596CDCFF09F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.793{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E430F5DA272E3C341D8E5E893EB89399,SHA256=6A48865D42D4E14D95E076D3BCF8C8664FBF6D1A7C5521A316A04E30046BDFDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C57-6352-AA06-000000008C02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7C57-6352-AA06-000000008C02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.921{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C57-6352-AA06-000000008C02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.922{EFF5EEA8-7C57-6352-AA06-000000008C02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000237716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.437{EFF5EEA8-7C57-6352-A906-000000008C02}32001248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.376{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1F9BFE8601876D50132F14A202126F,SHA256=A9FDC30A756F26CF2F71A57EF8CDA78EB22311B10AA0A6E1B4CEF02A3729E772,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:43.490{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52282-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000237713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.256{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C57-6352-A906-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.255{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.255{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.255{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.254{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.254{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.254{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.254{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.254{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.254{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.254{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7C57-6352-A906-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.253{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C57-6352-A906-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:47.252{EFF5EEA8-7C57-6352-A906-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.644{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-215MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.217{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13556DF38145617440349A55A2BE472C,SHA256=CC4B97C5ADC3CA51903B7C83F0E9F107E540DC0E5DF61BCB4DD61DAA9DF44D00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.103{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.102{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.100{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.098{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.096{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.093{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.091{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.088{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.086{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.083{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.081{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.079{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.076{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.073{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.071{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.069{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.066{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.064{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.061{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.059{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.053{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.047{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.040{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.032{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.027{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.024{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.017{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.009{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.005{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.004{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:47.003{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000358521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:48.824{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B52882BD6132B8053CEEBEEA1D4956A,SHA256=4A7B158DE0DA064E7342B7EC3311B1683597BC7DA0E5172DE640D5E268D4D06B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8057A87F88075F2A1FD601238D296ADE,SHA256=B81FBE6196CB1BCC4DAF6AF5AF22FD836569A34D9924ABBF0D89BBA6FC9C9858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C58-6352-AB06-000000008C02}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7C58-6352-AB06-000000008C02}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.598{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C58-6352-AB06-000000008C02}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.599{EFF5EEA8-7C58-6352-AB06-000000008C02}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:48.671{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-216MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:48.093{EFF5EEA8-7C57-6352-AA06-000000008C02}24041808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000358522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:49.969{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B6821AEA9462CCB6BDD875F37338DA,SHA256=5D1FD477F730745A6729DA74EB76575BA90E9997AB57B8DBE40B8589C375B163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.797{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E634819D11FEDEAF5BC1E3DB4B09100,SHA256=D65C9110F641B1E4B37403A1F2EB665E53964BCD22434F1A286173CD454780CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C59-6352-AC06-000000008C02}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7C59-6352-AC06-000000008C02}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.098{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C59-6352-AC06-000000008C02}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.099{EFF5EEA8-7C59-6352-AC06-000000008C02}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:50.860{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58D6B136B72107B3AD3927CC092D5F6,SHA256=42EA318D9D4186568BC4D864CE2A6305969716B0A1A6590CBC93FF497F2F8C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:50.094{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F4938FF3041D0494907812D2B9FAF815,SHA256=146E855983E7F8A6623137EF8B6AEFBB4BBDFB9184F1D86C0505C88AC6A759E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.996{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.994{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.973{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.960{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.950{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.938{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.927{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000237770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.920{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815E4F9EF772ED5AC04B290E6A1C1326,SHA256=78DB551AE289268167D9DA8C8E6B2700164268BFE0988DE9759CDF686008E50B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.908{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.865{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 354300x8000000000000000358524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:48.828{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59929-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:51.123{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6863DD6289EC3700935A923AEEE3FDBC,SHA256=AC335406F86396FDD887A231DF9BF98A25A6B0BEA52F0CB40DB56FC6677DB303,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.856{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.846{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.838{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.830{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.820{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:51.816{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 354300x8000000000000000237761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:49.294{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52283-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:52.142{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7057505D241B496551CE388ABE822D,SHA256=824B93304784AB890874A621B83F8E168FD99A1E9A1637362A27135758C17393,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.072{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.067{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.063{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.059{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.057{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.053{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.052{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.050{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.047{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.041{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.032{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.011{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.008{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000237778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.006{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000358526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:53.252{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14193DC35F247B07D0E82E09156EFC3,SHA256=2A9F7D3DFD77940C3F4C63748AD6B0B933A2F24E70B718BBC0A8E005B0BCC9CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:52.991{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6E6A4C4BD64C6EA400095D55D37035,SHA256=F040348B9EF5E2F533D6EC069DD06B3663EECCD8C92CE03AAFFFDC2DF1F7D8CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:54.369{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B2C4D0FE74A7F5571B80877A81143B,SHA256=08D820FFDE8C18EBC97A8F0CCEADFECC76E3E1AC885FE709DD11AF61B0CB647A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:54.098{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4251799555ACF1A6A632AD8F6A0FCEE,SHA256=EC9CE38E11C639C05C5F1B97EE22898B5CEA3027A7BD13C4360924FECA8A6BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:55.407{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA423F09088F2FF4274236E8FB32ECD,SHA256=5A65AAF0F3CA027318352145B458F09E8B3A77697DD2800C45251E93DDC5DFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:55.168{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF634CFB29E0B9C59E2148CA74F81D7,SHA256=90D392D2C05066C7D3C1C6649BF00A541330DB0660B49928B5AE59392F23962A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:56.991{30B46F62-49FC-6352-E200-000000008B02}1264ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=A49FF2BDD727A61BA4ACB2BDDA352ADB,SHA256=BD6C33C0EF4B7EC39BB44F6F1171BC1C17A09A1D8551F6119A3D90BB497E9D40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:54.812{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59930-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:56.492{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BF880AB5C543FBC937D9EF4FA643E5,SHA256=6C0F325DE1BA464365B454709DC1FCEE34D4B3F67480EB73AA59D3E657A124DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:54.430{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52284-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:56.257{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FB9CC898B29917ECD9BC11A232897F,SHA256=9E056E5803E8AB21752F9570D49792B4F278978C78B3A20EA255142B753E2CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:57.541{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865CE01A722A0469538EDE00651A5314,SHA256=9F797A696EC68D279274644AB6826D7748DF5E72D32AAE35133469F2193681E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:57.349{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A320FDE3BD64A20BB13C30BE679EE21,SHA256=11FED0D954141553481FAD4A4F3360A83051D07771273BCFEBF467D9092B2153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:58.590{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC53F2E30D0D95D8E40D7E16D56E759,SHA256=B9DD9DEDAADD9C1BC5477EDC4CDC0E7D07CABDC5F94861887EA69E1EAC9B2D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:58.441{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AD427240113B85DDE66D2E0134DEE1,SHA256=42C83EC517DE7E1B909685230AC06412F99669389F95EA8AE6E2A90A9692C074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:58.306{30B46F62-49FC-6352-E200-000000008B02}1264ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-10-21_110256MD5=AD80B2AFB85A2C45F12BF94E48169A9C,SHA256=C2773A210D80C272F27792B2BA323EE3DD7A68B7474F7C222B00DC7FE517CF4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:58.290{30B46F62-49FC-6352-E200-000000008B02}1264ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:59.525{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C137420166A2776E6749E833EB9A512C,SHA256=C76F2C8ADA8058F3700B6DC206DA5D0CD40B93163CD5AD221D2209324F1E9C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:02:59.720{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0749CE7CC25B7F293454D787F29F894C,SHA256=0EE36545C006B46C465F207A342211C25F6355752B93C35A9B890DE1E3CB4C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:00.710{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12102A874400CE9529A12E3C4C44572E,SHA256=B5E3F3940BB424C11F87DB35BFE28D6AEFFAADA7623464FC9DEAD1B37AC8C50A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:00.788{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB88965D3DF4FCDC258B4D7DAD5703E0,SHA256=36714030538755AD3BE178BCB069BB1B65C5EA76139C597A6E7484E6C00C8FEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:02:59.496{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52285-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:01.780{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B1344A37AB82B4F0F217025826972A,SHA256=FD1BEA117FC26E8CFBAD9F42F806E9517FCAB1E66E52E32E5D2A59DA95DC6921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:01.904{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40222A31877F13474DA160A173F2C42,SHA256=7A87B971D18CFE6A598FF920043CC87F9F85A83D2B3E2DB7AA63BAD1BC5CE74F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:01.104{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=586DB420073C68405AE7C2A3E2A6733A,SHA256=6398C013A563C787A9EC962DF60DBACD4D93B8F2FF9BEFE12CFD9E02D8BA72A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:02.931{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83082C58277C1239F1DAD0C7859B6845,SHA256=73A139F982F882DA12BB1D8051C5A81534E36311680BBA2748C7B25EC9DC7B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:02.871{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25DD742EF2FCD9623A624B525394C4CE,SHA256=C41EB053D8B4F2433206747F3CEE76D9397284D4EE98E7DE0B95B4CCC1D2EE19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:00.855{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59931-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.969{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3F048AD7D7B468B427F2AB8A4DFCAF0B,SHA256=9173EC154EDAA6685F935BC4A89AD98856F52B351BF352CA914F3ECE17B67272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:03.959{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0687E618973C00104E61E05BF3D4C3,SHA256=B75FC795D81CBE57794EC9B55AC7A07F10261B4F276E818CF2A66AFA48AD7E8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.819{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.814{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.811{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.804{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.802{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.795{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.788{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.784{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.782{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.779{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.770{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.761{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.748{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.737{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.725{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.716{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.666{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.650{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.638{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.628{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.619{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.557{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:03.547{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:04.302{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:04.299{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000358566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:04.001{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F765452EFC02C879EA465CBF99C885,SHA256=25E80E1AD3C1D96031427F71A36828325323C9E58E9EA3A3DC3FBCE868EA3CFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:05.089{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B3444291CF4065C4B185E9DAE98183,SHA256=604086F0B0314DD3BD8A93B921FFFF3D83A0FB9AF8ECDA97A6A88912DE2FBAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:05.961{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4ED6B3BF0BA34E6392E4F81998263A15,SHA256=CE14BA6A46C27F97706A1E119A604E688FE9E049469F5BA3E9F77B38AB816888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:05.022{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3079D866D30FAFB0D329FD2B1E13580D,SHA256=69A88830C4E1F3F1D174DE1B75C01AC2B59234436D6CE5F577EBE93FEF332E11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.966{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.964{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.959{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.938{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.927{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.876{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.872{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.864{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.859{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.857{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.854{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.847{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.846{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.843{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.842{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.340{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.339{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.336{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000358570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:06.204{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EF9672E695DBB7E751D7695830D544,SHA256=7B5C5C33D8004807D55CAD65249768D59CCA342D0580AFD01F03FE7A30590156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:06.117{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CA302D7408118061F0B5A62EB310B9,SHA256=2A982DB2F2BF3FAB8B540D67148992E3DFB710C61479E2158BFE955CC48B4DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:05.856{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59932-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.462{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A096D4D0203A1EC3673406119E89FB39,SHA256=E92EC3BC31C15FAB9CF722788DACAEEFD681FFEBBF1A779C1CE2D873F11BBD6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:05.316{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52286-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:07.201{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA73FC3B38B2241427B3910B5315F58,SHA256=7C8CC1EFFD7A89C55B0719A7D36B1E840660C481153E45949C19EAC4D9ED1F1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.200{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.197{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.195{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.193{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.191{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.188{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.185{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.183{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.180{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.175{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.173{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.169{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.166{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.163{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.159{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.156{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.154{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.150{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.148{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.145{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.142{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.139{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.135{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.124{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.117{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.114{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.109{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.105{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.096{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.095{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.094{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.074{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.071{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.066{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.064{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.060{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.058{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000358589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:07.039{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000358631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:08.858{30B46F62-485E-6352-1000-000000008B02}308NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=53945F6FD7771A527017230129335892,SHA256=7DD6DF9BDAAF1EF3E1BE9785A2AF7BC97946CD4116574C1480D481EA5DEA1BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:08.665{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=9E7B5A6B672F5E21C59973F269713E40,SHA256=36C6E37D60CB9B011751C9EB8637DDDDAA4C17BA8CF6B3EDB41AB3C7F7B72B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:08.468{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1D00627DF7030561D6382A2B4BE830,SHA256=2203C8C9DDE403376C9080D0D13C77B7860E7399E6F1CEBDE6FABCC3DDA0708A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:08.720{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:08.720{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:08.720{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:08.283{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132FD946B8CC39E85D836194412A60E6,SHA256=32A82942D67566F70A809DE74B2ECE28E8D6667E94CF0021D224DEFD88B4CEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:09.361{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7087CCFA215E4EFE4CEA8F9795E27822,SHA256=F214E27A349090128B1A588854678C4B772A32B3F52841DEA7FC229677523D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:09.491{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF857D7F5A0FABB63E20F8A43186C71,SHA256=8CE121F53B29CB8FF0D9F552E6FE3993AF33D7EBABC0788F68555992EE0738F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:10.456{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583DED2BBC53B9410DE87FE7EB9FA61D,SHA256=6C083D9893D03EB4D2962A64C29CA8EDA1919D5A46C9E50101E2482EC6F074BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:10.520{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB27BD4585131977AE2E7E34D9E4438,SHA256=2D2200D3B6869F838960CF825903238FFA47434F1888FEA275E4B9A104866439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:10.003{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3475517B0B0FA00567D058EC23DD0217,SHA256=FABFA8E1ABFEAB1FA79F50A0FDDDB1E7FB5A6798D4C646F8FD1A76C958B62EB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.999{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.998{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.994{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.993{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.988{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.984{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.976{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.973{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.971{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.956{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.926{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.866{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.861{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.851{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.836{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.826{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.824{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000237816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:11.540{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68E1CF3E2E62C6347C3BC69005F0C45,SHA256=8C5CCB53D72C7A540179E38D4736DA4570E71CDBA084C947EFA88C696FF28DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:11.592{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A99B216BD6368F656E6C25AEED27DD2,SHA256=EA20AD2BD022E55926EFCD26DD35CDB7B9BBAC12DB598D1FEC8D9F3D8F01F5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:12.933{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5A9A5EFE9E3B1EAF0744931CDDBDA9,SHA256=A5B37C427896C90154626DECB9FC291DDBAC084BE092DB164BB18C41913E5D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:12.623{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAA4CF8C0E80EDEE591AC0B96D78C06,SHA256=26E041420A5CC708C594A10AD54C2D60A783B95D4359BA383CAED3243C939EC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:12.008{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:12.005{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000237843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:12.003{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000358637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:13.672{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92D386E89284ED8A7DA3E80BF7B9EC6,SHA256=6E690628C80DCD7C1AB68BEE52B5EDF9659030E278D052E9BCE70DCC2A3CEA22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:10.469{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52287-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:14.712{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A6E5819BCE966B212D0CE3F6176619,SHA256=BD420E53BFA2C2996405D7934007C858F06250D644431CF26AB456E393BD9C08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:14.434{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:14.434{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:14.434{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:14.419{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000237848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:14.225{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4BB60FD114D2853A3FFD9FC4783830,SHA256=557CF5F715CD7F822476B44324247E70BFE8EFE4F50AA4DBE8CD4CE25D354ECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:11.790{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59933-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:15.750{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF909594AD96511D4E8BD9E62CEA6B6,SHA256=1F3543B7366BF5C35715B5244A94359614988B24F11C80C87A6138F29AD5CC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:15.311{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E2E6A25515D6F53FE1B592CB08338A,SHA256=BDA0B5438428D466AAFADAD4334C2CB5E75D23D2743D8ACB82596770263A39AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:16.385{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25DEC406D99B9E5F0F319B127987713A,SHA256=54818C1F85844D30BF1027220D060A2EFD574649CF8EE35C9135687C892A8B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:16.835{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D329FBB782C3049CD18CEA9D481BA3AB,SHA256=3C8C7420A4A9E875F012A16420F5082C426CCD752A72E5408EF74B7862ABB77B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:17.489{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74E37CEDAF62168D5E76214629BE46E,SHA256=3C217BF093355770F654D54D23543BE935B4EB8A727567679318DA70A0717968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:17.907{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7494E27001EAE8A0723D38A70C77E8C3,SHA256=F3F2B5B5149CC9E9BBB0C7F4276C96E1970E20B95F623ADBCD1DBC022F0894B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:18.941{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28CF24C5FFC40C0D1487F356C2C8CB4,SHA256=60FBFCA279E5D488BDC592B32A417C62E2256DB0E3C39F1E7CD87098B9561E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:18.569{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D3563406D948A9E9C10491F2BD691C,SHA256=D9B8EDFA26C1AC24DD26AAAF74EF25FA8C58A33A7565068EE2CCECD0EF0321A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:19.648{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F380D0650A153EADD1072108B57499F8,SHA256=C3B01F2928E30E61130A2BE0281A2945FA5F4C5532F012512DB2A7659C2ABED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:19.297{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=742194457D754EABC5B88B6882D2CABE,SHA256=3CCD997B13820850CA980622F2F016A417A7510ED5061752EAD4246948C7AD1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:16.444{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52288-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:20.734{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957D27D22D2E23C33DB0F3730A765FBA,SHA256=F6AC66CAD38F64B502BD61068EE16188945882EC31AAA6F149D25648B33B33AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:20.498{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:20.498{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:20.498{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000358645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:20.075{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34FCDA593542681C089AE2548E6D696,SHA256=8AC537CC342A65E8E9AA6CE79BD9C6BF7F6059F4C6607DFF667EDD733C26098D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:17.822{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59934-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:21.825{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B50A0477DF1631EEAE43ADEB62EC3B,SHA256=031AAAA3934FA999DB6847E03A4B83C06F5EF0BD1426623EEEABB2D698740D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:21.146{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC888F8BDAE41DB684625E849E1D9C4,SHA256=33880D7AF43589708D07B522253E506037E438CE20E9BC3757DCEFDFADFF0670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:22.894{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B912A78D5C8E68B7A34007E7F7E6D863,SHA256=C205766107D46127DA86254513EC56D6623EF519E268AA7CE7151E77D3CF4E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:22.296{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A894A7A7204C9F6512D30C5FBAF4EB1B,SHA256=87701EA5C67FD06E79C41BA4070178A52A303C0CC5380EC9FEADE755E08F9771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:23.978{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924ECDAB3BCB2005F9A4BE80F4F68EF7,SHA256=CF1983BC2A528CCF1DC1195D8F9BD0A60F8099ABFB7166578AB2D375D1CE0DC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.829{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.824{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.821{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.815{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.814{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.802{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.795{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.788{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.784{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.783{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.773{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.767{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.734{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.715{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.704{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.696{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.648{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.632{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.625{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.613{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.601{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.554{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.549{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000358651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.351{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9C35B39FF626F90C24CDB0CD3C2C58,SHA256=FFB09BA2EB80BE486F3A1E10111067641F458ED8F83CFC02A3E2A9B1CC72AFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:24.383{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E69F167A4EAA1982C69843321290EC8,SHA256=3C2366B1406D177CC4E269437D1123A5C05C62214EAB59A9FE63A1F04DADFCF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:22.296{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52289-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000358676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:24.232{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:24.229{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000358678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:25.438{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E569D32504D5A773E599D7F5F543A3,SHA256=6DFE17BE93292DD595461C8D1F22AD3EB06685C6C8AB87EFC79CA01CB01F3675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:25.055{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65372F43E1976B6AB6E7445E6F11DBF,SHA256=8D4A6D9AA2D8B6D0068FEE86E9C262040E9166614340B7CB02AD177E6E9CC4DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:26.123{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA435CC64F343220F7318860AB4C6CDC,SHA256=8191FF559CA455C951652475568D01DED651C79FE2CCA090F4C77D92D48178F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.997{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.995{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.988{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.985{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.982{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.978{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.974{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.973{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.956{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.952{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.942{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.939{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.936{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.933{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.918{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.866{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.864{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.862{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.845{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.836{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.808{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.796{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.788{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.783{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.782{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.779{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.777{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.776{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.774{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.773{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000358687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.487{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1FDBD88B10D7251DC52718DC0F84D7,SHA256=F1A227D7EF4080CB0274AD9D406C2F2A783835F717DD0010960AB29CDD3A28D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.259{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.258{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.256{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 354300x8000000000000000358683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:23.724{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59935-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000358682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.030{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.030{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.030{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:26.014{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.976{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C7F-6352-EB07-000000008B02}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.974{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.974{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.973{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.973{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.973{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7C7F-6352-EB07-000000008B02}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.973{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C7F-6352-EB07-000000008B02}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.972{30B46F62-7C7F-6352-EB07-000000008B02}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.526{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C8B90F1193DE059B4B4727FBFC5DF6,SHA256=7057E405E454D804CF20A7CC87FE3AF0BE1A246409103EE41D4EB12F464A9D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:27.209{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C654FB707E26FB81C7D7AB1F0538690,SHA256=298A268A67845871237BF0AB064A69F2273E74579FA2BA43B591F0B086DD6C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.288{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A1DC04293D965EA61214A2C9937F47,SHA256=DBE3B1F5B98746E1F7954451B181503CA759619EB9E29768E974F3BF7F3862E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.076{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.074{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.071{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.069{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.067{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.064{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.062{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.058{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.055{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.053{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.050{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.045{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.041{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.039{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.036{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.033{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.030{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.027{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.022{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.018{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.012{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.008{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:27.003{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000237868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:28.279{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6906DDE11A26526D437DE4D2EA62621,SHA256=5F144116AEBFE55794F2F42CCF170E8A7302CDF936344CA4E8C8C36217B719C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:28.584{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D69D9330CB4950E6BD64B302E156C8,SHA256=84A6CA942CE0BB7E44B3927C943C24C532BACB153F9D5E8065C73E709A8448A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:28.481{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C80-6352-EC07-000000008B02}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:28.479{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:28.479{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:28.478{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:28.478{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:28.478{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7C80-6352-EC07-000000008B02}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:28.478{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C80-6352-EC07-000000008B02}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:28.477{30B46F62-7C80-6352-EC07-000000008B02}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000358751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:28.213{30B46F62-7C7F-6352-EB07-000000008B02}18725188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000358771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:29.631{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89587241D3712DDFBA2D315E3EAAEF5A,SHA256=423CE2569BD70A8E7EB3336DA65836B78ECAE8F835EB878E1B70FB0E5345EBDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:29.356{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F5756C4F782E08FB92566FDC02135B,SHA256=02D2C03D95022D2A946E1910AA7C3E5E0C493C48D531B90D2CD42EF886E4ED32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:29.108{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C81-6352-ED07-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:29.108{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:29.108{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:29.108{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:29.108{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:29.108{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C81-6352-ED07-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:29.108{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C81-6352-ED07-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:29.109{30B46F62-7C81-6352-ED07-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:29.092{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=324A867F6B9550D627489ADAE2A4F15A,SHA256=9D90891D5D3D67DF35338D128A681E80702AC88C4C4296575C6366828C3A20DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:29.010{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3B51FA1C40AA12A06F87BEF0DB275ED,SHA256=3F276A88FDE0D9D9A38218BAC14BC42A1C74A05B59CBC97F8BE6CB5764A47C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:30.711{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40155800BAB63E4B67FD121DFA568FC2,SHA256=C01AC8CC258288D55DD8D0C606EEF9BB0800E51D6BA8572B78E7F0042B99D006,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:27.439{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52290-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:30.437{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03CCAA47ED75C9DF7CEB38A7FD9E8A6,SHA256=C68043DC25CC16E56D3E277C2D1242FB374D27BCEEC88FB87C444BB9E06390A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:28.845{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59936-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:31.806{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77A5905C15724880B7218DB9D90C2B4,SHA256=8A2E3B1DEAFCB41AF7493F000EA1CD0B82EEDEF21BA7988460C20FD5DC119335,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.997{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.989{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.986{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.983{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.971{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.968{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.952{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.939{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.928{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.917{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.908{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.900{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.875{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.869{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.860{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.854{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.844{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.835{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.832{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 23542300x8000000000000000237872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:31.508{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B55BD019B249597804397DFF607DA7,SHA256=189792C5AC0AA646E986251B78DD4A1AC855F74052942D406B7ADD68CC81208F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:31.618{30B46F62-7C83-6352-EE07-000000008B02}80162108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:31.286{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C83-6352-EE07-000000008B02}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:31.284{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:31.284{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:31.283{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:31.283{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:31.283{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7C83-6352-EE07-000000008B02}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:31.283{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C83-6352-EE07-000000008B02}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:31.282{30B46F62-7C83-6352-EE07-000000008B02}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:31.212{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8D0DDA946C1B5F28DD482E17D2B864C1,SHA256=528B7305E249D55FCFCAF9DD2C04EC649CEB287F6F66FAA8EFDF616FF6DA1E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:32.842{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52BD97A8DECDE7D7570879F67B991345,SHA256=F239C8E388D02C18CCE9361434C4248BF9521C86CCEF8DE8BA05ADAB83414309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.664{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0A473A7908622AFC72AD58DD9A5116,SHA256=A48A095A1FFD4F53C189694F44A3694E7956732E262AB471FB8C080C16490FD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.018{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.015{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.013{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.010{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.010{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.007{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.006{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.005{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.004{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000237892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.000{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 23542300x8000000000000000358796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.912{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4271E9095216DDBF9E86D24EBE4600,SHA256=B0E1EB680634A6701BE7AEF087B79839172D6F3347D697D8F8CFFC7B1C38A727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:33.744{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60EA941E58F6E935C629262B42953A2,SHA256=9D2A528F5C64C43BABE2D29B778D15928DBCE2002AF916A17D97EB85349CFBC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.843{30B46F62-7C85-6352-EF07-000000008B02}77649484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.633{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C85-6352-EF07-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.630{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.630{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.630{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.630{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.630{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7C85-6352-EF07-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.629{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C85-6352-EF07-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.628{30B46F62-7C85-6352-EF07-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.029{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:33.039{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.982{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0714AE98CAC9FFA4883D9B86A7D68FFA,SHA256=5BEAD9ADDD67B61B7DDA1E73B8D01A79DB00E1CD4D9F7DCBA73F6C8528C1643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:34.818{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C1BE2A0B0296E66B2ECBDF26D8A287,SHA256=44C79837DE1B5DB32AE910C1D00671E5FCF735709886D573F088455B7543F204,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.813{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C86-6352-F107-000000008B02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.813{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.813{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.813{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.813{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.813{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C86-6352-F107-000000008B02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.813{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C86-6352-F107-000000008B02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.814{30B46F62-7C86-6352-F107-000000008B02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000358807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.713{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F0EE552630AD2837816D5206CEC33D7,SHA256=2720D23A1B976BB7CA6E73CCC28939260414A9419FC2BFE0637F9CD840974C41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:32.646{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59937-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000358805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.359{30B46F62-7C86-6352-F007-000000008B02}45326308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.131{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7C86-6352-F007-000000008B02}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.129{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.129{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.129{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.129{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.127{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7C86-6352-F007-000000008B02}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000358798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.125{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7C86-6352-F007-000000008B02}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000358797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.126{30B46F62-7C86-6352-F007-000000008B02}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:35.917{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BD8BF202457BDFB057525DBBE58A3D,SHA256=949EE5E07BFA53AB112BA6CA348B1AEA1B5996D6E1042418551B63FC63340DA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.263{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59938-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000358817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:33.263{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59938-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000237906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:32.269{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52291-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000237909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:36.981{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC2A778F88EA08F8DF13519182726F8,SHA256=FD2BB86E50C7B6D0A11A13466763DD5F0CF0AF318EC711C0F46775CE65ACE1EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:34.746{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59939-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:36.023{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD99CC1481F8831532EA66E2AAD399F,SHA256=90B8D94E140D1EEC62A01C725DE0C8886F91D597B65DBD37ACD2A56FE10182CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:33.364{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52292-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:37.177{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC6FF0373CF34E44C9C5E73FCC19399,SHA256=5A61E16A698144E837836FCCB85EF7BD8FBEA3D57E595F5A10DE4A10EB556029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:37.413{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-216MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:38.319{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C726699456454632D30C62D473AA08E,SHA256=62731FB126A44C65CF5A4414673B9EC22684B9DEAA999EF2DA15DE967965F478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:38.419{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-217MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:38.051{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAC8EF8E39961CF70E6E3F18CF97C44,SHA256=8D666EF6E760B0368B4CA9A8C9D313A49EE93362BDB61FD21DA027EB665F2E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:39.368{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E91AC446D8403276EB304C34E82813F,SHA256=C91452A4F90D0C0CF5313D3547F85AB46E0327BD599A11CF5DA00E653D9A8DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:39.135{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA112BCB886C38416D9FE47C8B526430,SHA256=252E820B630A1AF7DEE9FA75FEFAA757AFAA724ADB234FF4603EC4A3264F9AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:40.393{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81ED4E711CC901B26D9930E21AAFFC4E,SHA256=AF1B8AEB1E41CAA122A2E880F9BD85D86948327C0DD7B9F1676BCA674DE51774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:40.202{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321136CED4D87AC3022B315F8586127D,SHA256=144D5077FFCCC57A111CE734EA8ECD88F0C5281474F3F589E30CCFA255070EE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:39.307{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52293-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000237915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:41.274{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E89320C54CDFB05F8B9F8E532D3EE9,SHA256=EF4B4CAD00EE27A87845DCA924663DB9D5907C5C3B281A9733F0350E6D5E0732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:41.444{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3CC6A5B013DE88808ED37692AD22612,SHA256=588A31249DA422AC83B4F578A866333E11B01AB249A07DAC669492FB347948E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:40.763{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59940-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:42.497{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FDC641E927FAF0152D593260DAB65C,SHA256=540ACA9C6620AE319471B1939D4CFE145F17AA6601F99E85E5202BED88BB2E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:42.344{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD23A717E5CDF56D921A9360BED333E3,SHA256=07F27A2BD41732367D82A63DC7141C2A4A1AF94564281304270AD55521987728,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.876{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.866{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.864{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.857{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.855{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.845{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.837{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.834{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.832{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.829{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.821{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.815{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.795{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.783{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.770{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.758{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.702{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.677{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.663{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.639{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.611{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.543{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000358829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.538{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000358828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:43.532{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765ABDDCAE981D92B9FEAE6619F55F30,SHA256=56DC95BA58655AC07441187C364DDD9F93410B02B9E383CB3FFEE99876D28B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:43.409{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EE3F7E824E36DC7A00EAD61461E95C,SHA256=30B3390A45590501650C5211E056F46E15BDD2FCE4D2ED24E386AE95D63534FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:44.556{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FE18DD824717163A73F221CF6C7A32,SHA256=4EA44D62B5703C8BBF1F37F829C2DCCF2AD3831C958E5426D750D1E363A65CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:44.467{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7994DF757654215D1C76EF6D5C862CD,SHA256=C3D62A522CFDAC707F844A642DD772CED3ED405E31B6F500F4DE71DA9ED65BB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:44.342{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:44.339{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000358855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:45.602{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C972C6BECC44FD2E7C20AAA192376EF,SHA256=C704161CB598BA1D63A713C32FA1F193626DA9A6D34BA84C505FCD93E4969046,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.767{EFF5EEA8-7C91-6352-AD06-000000008C02}34323504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C91-6352-AD06-000000008C02}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7C91-6352-AD06-000000008C02}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.564{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C91-6352-AD06-000000008C02}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.565{EFF5EEA8-7C91-6352-AD06-000000008C02}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:45.548{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EC4EE5B60F76900BD9633B95E83878,SHA256=120F3351A6D30AE21C0A72278651F3E0908C390AE03826C93C89CB710EE6D967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.797{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8E53553DB711B0A2DAA9F077EF8EB3,SHA256=2A873BACD2028D54725DD1D97B2603F9DC3B37D0281B9B363895898CC9318B6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000237963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:44.368{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52294-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000237962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C92-6352-AF06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7C92-6352-AF06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.735{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C92-6352-AF06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.736{EFF5EEA8-7C92-6352-AF06-000000008C02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.626{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=970DAA3D42B77C2550416CE96C303821,SHA256=278EA98109E5C0FFC6AD8D74A655512F7012D3D9728DE7C646A5F7B0567956C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.984{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.980{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.978{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.961{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.950{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.920{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.914{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.898{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.892{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.891{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.889{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.887{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.886{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.884{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.884{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000358862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.682{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06660D6DD501F51640AF6E7C1AF5DC39,SHA256=F8BC9FC3B24963DFF11C8E74B699413EED8812EDE639AAAE32EC5E895469037D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.372{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.371{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.365{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.065{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000358857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.065{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000358856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.065{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFcbfc65.TMPMD5=A4670CABC14D7551C56556724DDE58F1,SHA256=5AA750D72DC98C3B2F0FD3674D91BD9CF2CE599A23918CA948117F1E8D66A72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000237948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.282{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FA597B7A77B5ADF1661F936E175F858C,SHA256=4A038B802B8F021EABD9AD190B78DD443DA75AED3D2B95306DE2E523248C158D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000237947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.251{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C92-6352-AE06-000000008C02}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.244{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.244{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.244{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.244{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.244{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.244{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.244{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.244{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.244{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.244{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7C92-6352-AE06-000000008C02}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.244{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C92-6352-AE06-000000008C02}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:46.245{EFF5EEA8-7C92-6352-AE06-000000008C02}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000237992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C93-6352-B106-000000008C02}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7C93-6352-B106-000000008C02}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C93-6352-B106-000000008C02}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.941{EFF5EEA8-7C93-6352-B106-000000008C02}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000237979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.939{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE83D088F9892A4C7B9DA4EB402DD53C,SHA256=99EEBD7A8E27337DC479BD80FFCEFB89FA1EE7ADEFA97FBCB47CC8581B9CBBF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.210{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B817E0859EC1930ADEFACAC06A9139FD,SHA256=F75179C0A31FF65CC58D40A79DD401641B955242FC01C17DEE8B21ED3DCE2B97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.174{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.173{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.171{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.169{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.167{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.165{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.162{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.160{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.157{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.155{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.153{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.150{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.148{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.145{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.143{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.140{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.133{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.130{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.127{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.125{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.122{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.119{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.117{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.113{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.111{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.108{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.104{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.102{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.099{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.097{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.097{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.073{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.060{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.056{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.049{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.046{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.043{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.029{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.564{EFF5EEA8-7C93-6352-B006-000000008C02}19361160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C93-6352-B006-000000008C02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7C93-6352-B006-000000008C02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.401{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C93-6352-B006-000000008C02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:47.402{EFF5EEA8-7C93-6352-B006-000000008C02}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000358910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:47.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000358952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:46.707{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59941-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:48.257{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EC38BCEA7C9453AF2584EE9C34AE5E,SHA256=90D92A9A480DEC446A1679E64B9D99E705BB74985F011535D92F492A3B692D07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.800{EFF5EEA8-7C94-6352-B206-000000008C02}33803544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C94-6352-B206-000000008C02}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7C94-6352-B206-000000008C02}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000237995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.613{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C94-6352-B206-000000008C02}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000237994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.614{EFF5EEA8-7C94-6352-B206-000000008C02}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000237993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:48.095{EFF5EEA8-7C93-6352-B106-000000008C02}31961156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000358954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:49.330{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A87A73223B9E37B86A960CBF4DB6A2D,SHA256=61D914A7F856DB6C17FDC910FB7FFC6518E789AEE2865F63E412C391873BDE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.432{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E80301225FB361B9070840CCBCC208E7,SHA256=E88EFFE8A270E3FB67F48883B9E792DD426C6887AF5A853D94B38A7F44A4C486,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.284{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7C95-6352-B306-000000008C02}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.282{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.282{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.282{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.281{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.281{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.281{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.281{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.281{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.281{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.281{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7C95-6352-B306-000000008C02}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.280{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7C95-6352-B306-000000008C02}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.280{EFF5EEA8-7C95-6352-B306-000000008C02}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:49.066{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0B4265A3D3AA672DF671E5B6B2EBA1,SHA256=1F5C73A641A1515163850A20CF8CB552DE4D49D6EF7334C7C55410A85DF602EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:49.212{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-216MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:50.120{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184E2A77117869503A35D43AA3325F31,SHA256=713E59B286BA6F56C71C80DFE1F46D199A07C477C4F20179CBC290F704048248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:50.370{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A808C06AF91D99C8138323DFEA1EEF,SHA256=2E6D2678050D1F78806748BC157E08960816D597F85B0DDF625608C75F3A07ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:50.213{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-217MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.998{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.993{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.990{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.988{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.986{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.984{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.981{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.978{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.955{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.952{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.936{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.930{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.923{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.910{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.873{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.864{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.845{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.836{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.826{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.822{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000238024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:51.200{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AE8AAB27F4C9AFC84D0171AF07EDB4,SHA256=21EC6408D847AECA2B22380F75463E0ED4E411B5EE36A33B7206EFD5BA21AEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:51.430{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0424FDE4BC48847D176617C1FD8149EE,SHA256=F224D3C1A9349E0EAC463875A2518468289FCFC9514B82D2F6BFFDA5E0FDA275,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:50.311{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52295-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:52.783{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A22CFD29DE417FA6ED247F9055A735,SHA256=139479185543CAA536A029377B9410104627F23131BC61A363C7ED7D0E1FD647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:52.478{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9409DC28D27B6919DCF88A93BD9A019,SHA256=BFCDE13CD4FB01199B5B69C9BBA0B7C0EE5D61219D94BB8D84082397331BDC6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:52.031{30B46F62-49FC-6352-E200-000000008B02}1264ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=AD80B2AFB85A2C45F12BF94E48169A9C,SHA256=C2773A210D80C272F27792B2BA323EE3DD7A68B7474F7C222B00DC7FE517CF4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:53.909{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C37E9577C0BF7C963ABDEFA12DF03F1,SHA256=0363298DEC9AA003F1F210D0BCE178D8E907F77DC83932673DFB918661E29829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:53.566{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E8D1A521B72AF1E5C5C65196552EB4,SHA256=9ECD327163129EF0B9A50994FFE05EACCB319B015F2C53A195339E1DA83B13FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:54.984{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61D6092D29B228FF374AFC71BC22A86,SHA256=69670CBBC57A6800AD0AFB7D7C2D9085DD36E0AAED32218C0486B07FE1AE7669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:54.719{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AA65BD39F897734DCD7C298CE32082,SHA256=5653AC7AF13DDFC48879E1D782AB3813E92783B0445B1EE17A0068FE55547081,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:52.732{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59942-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:55.683{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED8FEA5F11C6EEBB9A8BA42A57BF154,SHA256=2AAE3EAD9E1122ADEB2220021B571CF56DEFF9A24F0DCE3D15226AAF1FF5C388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:56.738{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7EAF16083B7B024691C3BE2DAC68DA,SHA256=0C826C7884333D51B5906DB0C0AFF0F897FDF6A97E227D5B99AA64FD899A005A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:56.059{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B650390771ACCB9BD42F9CD7E994DFD3,SHA256=F8819246460D6EFA14AFD0AEE2E1C88A92AE09EBAA4F7BCCFF35549CA4D41D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:57.803{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2653732C2CF27238900F6F55DE27F4,SHA256=AA76119EE3289E4C1A89BE4C2AA1C5494E6DDB7890DBE81EAC9391FAE72B8BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:57.142{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D049527398C8BA15F60386CF869689CE,SHA256=A04AEA296D94ED3761F0EA6A275968A9D6AA477D6884CBD7E120417B5D90F731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:58.843{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5103D30170D5579B2D4088137B76C238,SHA256=D7E466117794FD0FEF88ABFB33AA796332072E4FF0581D5BFB0A563B407906F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:58.226{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D9FFE5E5051C39AC1C0A75E452324F,SHA256=A92BD6DE68576E4DE895C8E24BF8C9EFA130489441FEA160703C8876A4438517,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:55.494{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52296-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000358967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:59.906{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07F9431EB6236B6D081F6DDB62AD1CB,SHA256=E83D206771CCE21A51D0A99FB42855E5985A98175AA8B51CCE29173AF3BD31C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:03:59.193{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7134AE6B109D801BCB973A836932C9,SHA256=86DC88EB14EFA6E774EBF49E57BECAD007509173AB160E2D2FEAD11B6BAC2587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:00.961{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1211CDA065CA49E82DACF2429B376A04,SHA256=E98875D7C3F0207AA9ECCE691A7ECBAED385A669EE98AD07E82B495B24AF1D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:00.282{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0568D73757225B731DA6E4F2E9AA8C8C,SHA256=254F5B9C28B7D80F7E7B759D3DAB044012E233BD570466FA8DF5836DD9EFD6A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000358968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:03:58.726{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59943-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:01.371{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B078A252B43EC8B53A75196C9BFE29,SHA256=B5F39C5F6A92FC344E6382CDC6FA4774E475F130C253AAB34655BDBF61096745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:01.334{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D6825602C99C6B6126537EEA860E25C9,SHA256=CD89E36739569DD236FF48621A911D7669AF6F152835835346FED7BDD2B022AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:02.462{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C7D07D82859EEF6C40808C83717C74,SHA256=E0C798AB754C00B2C3AF95F1A14336D7F978EE2BCC614E3F57F21180CA528EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:02.032{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63883B778511F8900236F3F33FC4CE7,SHA256=77C95213EC61D65AF0998F0FA9988CF0FCE63591DDA0F947B5E7B2C17612BB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:03.554{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4444E3BB48CEFE49BF4093DD45D7B236,SHA256=4218C6EB698C86F59B9E1BB7DEC3A4C4023ACB8EF61ABDE21889713F9A080CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000358996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.970{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3CBAEB672AE716DDE4FE0E34DCF297B7,SHA256=0B781FE32AB33586EB511E2442EB98DD32A57D2E82A8D2C64146AEB16DC360B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000358995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.962{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.954{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.950{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.925{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.915{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.893{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.883{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.879{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.875{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.871{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.861{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.851{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.830{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.820{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.807{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.798{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.715{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.693{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.680{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.659{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.642{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.539{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.536{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000358972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.082{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF723E2B284BAFADFE5D6B827371CB7C,SHA256=21F5453EA475148E50FBFB3047BE6B829F1DA00E88F144D8AB91708B67768CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:04.617{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4DDD8A59E541757C3DEFB38C2ED94D,SHA256=48DD36522767A4D78BCB9747A23ED16CFEF95C9657C87FF84458EC6AD3BDFF69,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000359009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:04:04.921{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000359008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:04:04.921{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00cc4611) 13241300x8000000000000000359007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:04:04.921{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e534-0x7387f1f2) 13241300x8000000000000000359006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:04:04.921{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e53c-0xd54c59f2) 13241300x8000000000000000359005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:04:04.921{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e545-0x3710c1f2) 13241300x8000000000000000359004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:04:04.921{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000359003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:04:04.921{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00cc4611) 13241300x8000000000000000359002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:04:04.921{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e534-0x7387f1f2) 13241300x8000000000000000359001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:04:04.921{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e53c-0xd54c59f2) 13241300x8000000000000000359000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:04:04.921{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e545-0x3710c1f2) 10341000x8000000000000000358999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:04.501{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000358998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:04.497{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000358997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:04.133{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6393BE265C92C7263751FD9C7B463333,SHA256=CAE77B82781133BCA3DF01F7E4D8F64DC2DE0E2C22F15CDDC16B553E0484C069,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:01.419{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52297-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:05.964{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=27574C7E3020866BCDF289E0AA703F39,SHA256=5016EFC9D653C1D10B1BC470E982DC39EEB48BB5C9490E52611F904877EDD61C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:05.698{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7ED00E1FB8561CAE2A368C6A825B1A,SHA256=36F640EA56DD501795985869CBC049B932C4E1FAECF6BF16B351FEB02B6FC890,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:03.870{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59944-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:05.189{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2049E5381035F42AE48EFDEB8BB8BE5,SHA256=D37BA4BDFB0F21D33B6098977BB87A50EA044FAD68CA44E1B846E0DB9AC4BB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:06.782{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5D53418C10ABB0459031E2A7B85D00,SHA256=69A809CCE6912A1AC2E1E1AB77B94E18B3C95E25FE01797DF0F369907EB11DE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:06.543{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:06.540{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:06.539{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000359012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:06.370{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422A8D7570A8C5B43A1702A657771E98,SHA256=67BEFC60761F0367F095F2EC94716C0AE6EE2F04E646FF13E9DA508CBDA10073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:07.877{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC8974412865FDBF58D3C7E83E55C07,SHA256=C623EBAFD9F7B5624D200D126BD61F1901CF63176DBB7658A5D17594C5E78A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.556{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07BD9734764A729F87DE0732E55760D,SHA256=0F30365E8E816541B8C98EC9B63F251766C166ECE32921F2BBCCA19B9E2DE9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.469{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B99F987CE7F06AE06671683D68BC48,SHA256=3A595F56A6D6E96A9161B826148FDB00C2E50034CD92CF03B52D6B5C983F7B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.377{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.375{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7C3C-6352-DF07-000000008B02}5080C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.373{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.371{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.369{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.366{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.363{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.359{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.357{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.353{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.350{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.348{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.345{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.342{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.339{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.334{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.326{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.318{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.314{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.311{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.306{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.302{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.298{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.294{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.291{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.288{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.283{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.280{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.278{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.277{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.276{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.258{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.255{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.251{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.249{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.245{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.242{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.225{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.181{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.179{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.176{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.159{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.145{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.093{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.085{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.077{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.069{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.068{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.065{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.063{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.062{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.058{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:07.057{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000238073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:08.967{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE1731FD7FA0D789449217365E2CFAA,SHA256=A8532F0E74A18F85F34746D95CF608F85505BBF77D91F1F04D3100713A5EB5A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:08.921{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=2D1273504EFD70C41CDA4B93BC11BD5C,SHA256=8A43ED64984C0AC1502D907D83913938C1D0EA751E2376FFDBB68458657F0FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:08.591{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73706BEA5BCA536FE84D43625ED81E8,SHA256=435F1394135479E89806624BD63FF5E8EC1A996CA190F12AB1D0F57622478D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:09.622{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E8985198AE2381625C9A78F3B92F6A,SHA256=EEB2D9EE1FAB8EA042666E3FD2BF614BDE30F40625C9157FFA651625D91E8689,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:07.326{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52298-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:10.691{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35970B2CF619D0E13BE1CD1DB45CBF06,SHA256=52AD2C91AE00BA9CB61914C0BFCFCB08B78E6EDE558275D2E29406E4C9410219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:10.045{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219E75BCC8E887CBDE1FC10CAC1BD86D,SHA256=8C1CB89F4A26CF6A40F0951558618490E6520DC64825625006D781CFAB14938C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:09.760{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59945-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:11.726{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF5FADD3E33DFB101B414573D501040,SHA256=2511CC996ABF03CD568D3D25A179F74FC290A175A2EAAC34FBCD1A372CC17324,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.988{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.985{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.969{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.963{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.955{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.936{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.888{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.877{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.857{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.842{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000238076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:11.145{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62933FB7F9D5055A453AE85E5221F3B,SHA256=CFB0C68CEE93FD3F76CC495DDFB0BE4B8FDB05B12E8B809BFA5F9FDF0B65FADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:12.781{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C235707D8C53C3ABCA9DEDB4631AFF,SHA256=754491EB17C4E8F34B50285DFB0B8C724FACEE0C6415D50ADBD5D460B9F02F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.694{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104F91268272B8658BC52DBAD1B28AC3,SHA256=2514042C28D978FB546B0DC93E09F1E2CC6DFB388BF90D28F0FA396DF136E4B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.034{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.032{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.030{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.027{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.024{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.023{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.022{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.020{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.018{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.015{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.006{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.004{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000238107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:13.705{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696395CB533593EE559385416EDF1F39,SHA256=964F39E58C08E4D72F6A19D7420D1F1A1CEA2329465B3E4122E4E74A757417E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:13.814{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45938E6F2F227E186B852B6E36C42CA,SHA256=895FF92046B2081B718AFA5C11B01EA5182A7190B95D78F44030ABE0C80CB461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:14.788{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5070DFEB88B48CD383FED9ED14BFA4DD,SHA256=74B8787BDD41733F26B727160B11A74287980B7624AE62B4E0FA23279464502A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:12.463{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52299-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:14.855{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059117C5CF80F3012A14FD99DAAADF22,SHA256=457E361B3E068DEA3609A8DC3ECE1C67B7A19C4EEBAB713C1F4D92DBB08C5A4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:14.434{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:14.434{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:14.434{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:14.421{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000359080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:15.974{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BD407D506CDE1B5A3833DD9B350B13,SHA256=9EC20A2E89D0A8505CAB1DA6B6BF54E318E913EF36611D11C71CFF4A7049018E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:15.776{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D19A4FB0EEDB6647ECCE984AF9F153A,SHA256=ED8123B9D77275422FCA69C0283A5A4063DEFF07B3269BC3FEC397EA31E33AAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:15.433{EFF5EEA8-485F-6352-0D00-000000008C02}7881196C:\Windows\system32\svchost.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000238116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:16.864{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23CD692F64F436D50F16B0FB86D4259,SHA256=53EADE52D13451F1FB02D801192EFD5BF6500EAF39733D1514FDAD97D839CD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:17.950{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BAC7D3BD4C4CEB9357C29834FFAD92,SHA256=AB93CD8A7232698040D8F68AFF9FB5228C73096A08A17F58E64D7A77B1D91559,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:14.823{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59946-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:17.020{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64A3B76FB1AFF590AD55EA1C386DCC8,SHA256=F9E9FABC6E61052DD0A238FCDF384CB00B0DABFDCC442080816F48C215B2CA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:18.060{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128BDFCA25BCB3B44E8789B57069EDC4,SHA256=DBCBB79F3B81E99696A9FB7072480AD555EEAFB51AE9D03C74A3D53C40BB7B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:19.642{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=886880427B59E85896F023CAC8C52616,SHA256=071DA994004F5857C6CF023799F6D34CD53D5643292A50DA280D75219F8ADF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:19.035{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C045409FFEB1AEDE6B2D7ED1D3C28623,SHA256=384386E4D8379EE540F53B978D57277D530E5121C661C4556F0C3A98DBD709D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:19.161{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9984CBBA9F5D4D5410A0B04490D7F094,SHA256=2BE78942277DB915C42EEA6C5FB0CA492079F70EC85C37FF0561427A5D3CC4F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:18.420{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52300-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:20.129{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D891478AE68B634E716530B971FA93,SHA256=5781A9AE5007021AFF50E020FBD630C4A6C74489F7CB156BFE0BC16F21737DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:20.262{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413EABC2B6B18D2C078ED9B891E7EC28,SHA256=AEC25E956FAFFBB4AD295111154EBD7580F20685072BBB6F1BC167C4C65D805E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:21.200{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04D2A268A331593A3DD05C74A3204EF,SHA256=B1C8B51D50D37D5FD7712832D6B99C141AA417F379AC5552CE0518B335948372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:21.278{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDA81DB99B52EDA63E13991B6EF2211,SHA256=042949D49CAD26876EA30FF92C91E94BCE40EBFCD30AF17EAEB61748347150BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:22.306{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A537A7CF4B2C15565EEE88B341E5C0B,SHA256=47864E7390DCA6202900CECA9D3DF1491EC99B255D92121174F91082DA3F06CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:22.942{30B46F62-7C3C-6352-DF07-000000008B02}50806672C:\Windows\servicing\TrustedInstaller.exe{30B46F62-7C3C-6352-E007-000000008B02}6424C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\combase.dll+7d128|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000359088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:22.412{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F767F7CEB5E207C30B37A4984CC103C9,SHA256=BF9F64F4D39146C87E19D5884E00A6BA284CFCCCDA3C9AFAF76DEABAD2BA3781,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:19.830{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59947-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.967{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=80E5B7AD1C693911B436F2B86BD0360D,SHA256=0C9CA5F5F14761883C2AE911C0CC0EBA63E1877A826ACA5E9844D426A09A04F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.898{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.893{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.888{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.878{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.875{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.863{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.854{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.844{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.843{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.838{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.827{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.820{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.801{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.787{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.770{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.757{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.701{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.685{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.674{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.645{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.633{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.543{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000359091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.539{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000359090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:23.529{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02184BC2D759A45121D665D2A7F9B991,SHA256=CA1E95EE3AE6A00D3FA13F0DBD3EA5185C7BC44303B99C3CDFE4CA1573AABE60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:23.393{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D513587320283C8A908B593ECC0B01C,SHA256=F303933C9973A711CBA9E2F2DD281C001B01A615CD57F2EC11089D3A109F6785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:24.566{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928559B02746210C52C15B670E0233FA,SHA256=B64889448C597BC84892182EDD009F0E28017C0FDD76633CFBE3EF5AD62C0CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:24.477{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB450BBB6C83A53E247CB802057E4A41,SHA256=72E0464550E7879FC5A1DAF470FA728F8D24654964207688FC464A131053A8FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:24.329{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:24.327{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000359118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:25.782{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D4CBB3D512C962980F3E8A992A4B9E,SHA256=BD08155EC5EEF0D54ACBF95F2640594A4F54BFF58274AA5E1CED306A60858806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:25.555{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604C3C32472CDCCF7220E5B9ED9C0481,SHA256=95E304610B843CB0E418CCD435721EACD011E5BBD9D2FAED84EFBA2F4907B770,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:24.332{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52301-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:26.631{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB4C52E75DD4DDF8BE7D500DDB975FB,SHA256=80189A5DDAB16509B93B3E8D14F14A93218F27201193B40021BE3AE5DC472A22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.989{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.987{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.983{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.960{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.949{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.892{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.883{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.873{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.867{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.865{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.862{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.859{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.858{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.855{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.855{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000359126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.835{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44393E5D1F75F5A21B7BA3A976999244,SHA256=E43F177D053EC7A7B6E54F2B3163B04D1A057F9AD13A18D8D6540509F74CF824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.350{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.348{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.346{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.029{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.029{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.029{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:26.014{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.985{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CBB-6352-F207-000000008B02}9724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.985{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.985{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.985{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.985{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.985{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7CBB-6352-F207-000000008B02}9724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.985{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CBB-6352-F207-000000008B02}9724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.986{30B46F62-7CBB-6352-F207-000000008B02}9724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000359179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.922{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4174795995F07A6D5CA097C6CEEB42,SHA256=358013F1417A42A089C2D55DC993A48E7CB599488D733210A4AC33399E5288DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:27.710{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D279B6254B225E190562D3386F4B8FC5,SHA256=00EBDDCB80B1388AFEBC2698A132C59516C8FF26D9AE93A2B40E088A9D1D03E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.258{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2B181CD1F70D8130F691A442636F32,SHA256=507856D55BFD7233D10157D8A1BC5ABCF3FFF5FD891AFFA7E50C50C1D72508F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.163{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.162{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.160{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.158{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.155{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.153{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.150{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.147{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.145{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.141{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.139{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.136{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.133{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.130{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.127{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.125{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.122{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.120{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.117{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.114{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.112{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.109{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.106{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.102{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.099{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.096{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.094{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.093{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.092{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.081{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.078{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.073{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.068{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.065{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.062{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:27.042{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000238130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:28.812{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D403FEB461263631C86095CCB67E8E0D,SHA256=8AF8AB7D7D8A0951E02430ADEA6C86CA77F47BEF17F40C27187D13441076DDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:28.963{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=457C7FBA873CFCC568534B099EC2CA99,SHA256=49ECD374D1EE098426A599CCA8C7B3045C81C149A7E703CE07F2A687D231CF2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:28.670{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CBC-6352-F307-000000008B02}8640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:28.670{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:28.670{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:28.670{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:28.670{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:28.670{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7CBC-6352-F307-000000008B02}8640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:28.670{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CBC-6352-F307-000000008B02}8640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:28.671{30B46F62-7CBC-6352-F307-000000008B02}8640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000359189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:28.169{30B46F62-7CBB-6352-F207-000000008B02}97249768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000359188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:25.701{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59948-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:29.899{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF24C33D25957FCA9A6BE57186E7CDAF,SHA256=346D2F7DE70153809119446E96E1A0C0D11EE52BC6C31B63441A85E340A8F241,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:29.350{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CBD-6352-F407-000000008B02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:29.350{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:29.350{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:29.350{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:29.350{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:29.350{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7CBD-6352-F407-000000008B02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:29.350{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CBD-6352-F407-000000008B02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:29.351{30B46F62-7CBD-6352-F407-000000008B02}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000359200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:29.128{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52803F4FDB2CD158D78C7D737D82C52,SHA256=34A5866741841681425654F16EE565113FA00B6298FF06CF7409D515213A468C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:29.071{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=683FE7A1BCFEA7A12E4E506700B3905C,SHA256=4AA864E9389768BC2B67C86471C8896A5D20E388CDECDB62B3957D38D9B73557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:30.103{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5811FD33E6A1C7DA89CA67EB755A9D,SHA256=2510DA3ADF9D96C0D49533A82C011DF394C5847B5B5949CD8821A9F0CCEA6E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.736{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1F9A058F2020EF2C65AC65FBBD5369D2,SHA256=CE87F206BB2F54B4120C17829EF10F9C6191CD44EF812161F7D626E932A7C07B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.525{30B46F62-7CBF-6352-F507-000000008B02}97809448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.288{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CBF-6352-F507-000000008B02}9780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.288{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.288{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.288{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.288{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.288{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7CBF-6352-F507-000000008B02}9780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.288{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CBF-6352-F507-000000008B02}9780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.289{30B46F62-7CBF-6352-F507-000000008B02}9780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000359210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.204{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC26F756D0A1B4A803F1AE527F7BCA3,SHA256=9B58668A7FACDB18C4D39F2651320F3C3A4364ED6F42A6070496426E7BD888C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.972{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.952{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.939{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.931{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.878{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.863{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.842{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.837{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000238132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:31.085{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D2BA152AA02D1A9D1FD2E5D542E950,SHA256=8C63BEB7E2E844E92AE485567F4EE0ADB85948A16DEF900028AF91BE3281D2A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:32.305{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0B587AA5649105736FC94B955FEF44,SHA256=0E5C60EF0F1776A8288CBC7AD1EF2594358FE0DB8ED76DA2435818F1F9738ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.401{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=966FD694B82094AC39F94F8DC1B6F7E9,SHA256=8DF70787DB7952AE2D078CBC51DC5B34DAF78C48C2244859C98C87CE8D4EE01C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.033{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.030{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.028{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.025{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.023{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.022{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.019{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.019{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.016{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.012{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.004{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000238148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.000{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000359233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.861{30B46F62-7CC1-6352-F607-000000008B02}71489752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.638{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CC1-6352-F607-000000008B02}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.638{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.638{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.638{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.638{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.638{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7CC1-6352-F607-000000008B02}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.638{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CC1-6352-F607-000000008B02}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.639{30B46F62-7CC1-6352-F607-000000008B02}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000359224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.407{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA34118C6896ACDE1995AC9154CD8C7A,SHA256=DBE95375B0F356AB001817FF5BB8B9D8C9BBF0D52054A30AE343717D6F8FDACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:33.453{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC964949469EFB71BBE36E20584E89F,SHA256=0BFB74F9203F58D0B9766C82E4C7523D8E6141055211D52E61ECA1F69B15CC16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:31.662{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59949-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.054{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:33.055{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:30.284{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52302-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000359252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.878{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CC2-6352-F807-000000008B02}9880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.878{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.878{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.878{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.878{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.878{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7CC2-6352-F807-000000008B02}9880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.878{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CC2-6352-F807-000000008B02}9880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.879{30B46F62-7CC2-6352-F807-000000008B02}9880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000359244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.740{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1FB52506AD175C5D33FEC316E0F00A,SHA256=D7DD1E1B98090E2AFD368ACB8BC3A9AE7D2073C6275ED50C40A881E4DC495F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.492{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8416CEE80A2313CBFC87B2FC283C624,SHA256=E0E1F9FDAAAAD64E666C6204909669755FF4BEB31CA1AAAA2C2B72898AF2B395,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.408{30B46F62-7CC2-6352-F707-000000008B02}8404816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000238166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:34.531{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244C4E24C300F68CA26E678DD41D57F5,SHA256=9530B8D640E4F92E2319CD59A96DEBB9E61BEF507A4D0F5E5EB272518A94CBEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.208{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CC2-6352-F707-000000008B02}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.208{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.208{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.208{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.208{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.208{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7CC2-6352-F707-000000008B02}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.208{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CC2-6352-F707-000000008B02}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:34.209{30B46F62-7CC2-6352-F707-000000008B02}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:35.603{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2CC3E7962AED408F6EE32CBE391B24,SHA256=EB67375F159D21353F17AF373250E9E8A8710B73EBA00D1F770F33D2C483A108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:35.493{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6735EA284552C2E6ADE07ABCF356E4C4,SHA256=C22F3464CC450D84586E3F93070BCECECC33605DC14D13253E6A8732500B3D5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.277{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59951-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000359254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:33.276{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59951-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000359253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:32.667{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59950-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000238167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:32.285{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52303-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000238169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:36.699{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BD4CD19ACCE97A03E54DA4957301CC,SHA256=F385E2E3523C13F2706E16A7E7E46C4C879E2BC7E147BA23022E4E5E2BE1BB9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:36.541{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9EF2CA2474F51792CF03CA5DB749E0,SHA256=54E9B1FD1E4F8FE49E9D49F7215B5107D318B83574CC270969BAA52359DF995E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:37.781{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F07CFED1AF02FD84CE12BAF94310A19,SHA256=9B23899DAF5A018760DCB5096149ACDE28B873F85F500B2ED82759764997E772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:37.644{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7659E1B657EE06D02845031DFF30A94A,SHA256=7E8CEABCB5AA5680C195379889827D50A66C0B0150905E845BE0F5E11BA644D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:38.733{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D242CC6160C84BFC1D5443B61EC38E,SHA256=448CCA928FC06FFE7ADDD6E9FDFAE5DC48917F3113ABBCEB63AF09A2F7A73D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:38.935{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-217MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:38.855{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DF5D2F41640CE81956E3A40D5DD072,SHA256=790221F937176EE6F472D07C8763BDD5849CA61B059E176819B0EEA9E4CFB684,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:35.468{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52304-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:39.960{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271DC5DE8BB2CCA6779A3CD89DFEBCD5,SHA256=031777358EF0A8AC4A809509E118611BF02EAEACF3FCC07A1D3767EA35A88945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:39.943{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-218MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:39.831{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B80917D3ED857C5F6E191C25BD7767,SHA256=BC64F0E0ED53B629137A739A97CB19BE14114C378433285334D6E42CBA31ABCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:36.819{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59952-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:40.901{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90F9ED5B51A83A39E2B24B0A95D2426,SHA256=F529B6420A8B2AEAB110C0FF2B173BB154CDD153AA8F15F98CF75760190A8587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:41.990{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6242BF30287E94719E2492F28E73F1,SHA256=BF215F6B68E5756C076A0D5A1102F908B1E002D0D522A257F6FB086A698544CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:41.056{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DADEC668D3BEE9BD758488693FBB32,SHA256=E43AC3B54DB97BDF662F0F6B7CBFFCF6D0A20E5B5F262338AFE05D4906D74607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:42.153{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689BBAB1172E1E10D64271F0422F34A0,SHA256=3727D60E82E10608D22C6ECA394662BE678DC6D9146C9BE55F60D432988A1934,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:41.335{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52305-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:43.214{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C73B698492475B786F35F96DF709B3,SHA256=540E62D64C9CFD7B6F6B74898C38E1A8D88AD697303D09E42FEAD4F00CDBA166,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.755{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.746{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.742{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.737{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.735{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.729{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.723{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.720{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.718{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.716{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.710{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.705{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.693{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.686{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.669{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.648{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.605{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.590{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.584{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.576{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.569{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.537{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.534{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000359264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:43.078{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587E3D9497CD2103F9EE98FC39C38F43,SHA256=A5BC8C328041B3B72AC59A8D4FC4DAF151917050DA2E6DDA25F090625EADE5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:44.284{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643E4A88F2B83CE3A4041DAD60A54055,SHA256=8D568C1768C2930DEBCC97C5A1CE73DD2B04944AF51A9BEAB1A82CD7B478E432,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:41.887{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59953-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:44.144{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAA1D234ADC03FCEBFBFE70ED83D46F,SHA256=2586CC681A689CF04F6B3D180FDF6DE763F51F1B1F5A85F07854EC985C527B86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:44.138{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:44.136{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000238195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.723{EFF5EEA8-7CCD-6352-B406-000000008C02}20683412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.565{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7CCD-6352-B406-000000008C02}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.560{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.560{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.560{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.560{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.560{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.560{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.560{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.560{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.560{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.560{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7CCD-6352-B406-000000008C02}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.559{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7CCD-6352-B406-000000008C02}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.559{EFF5EEA8-7CCD-6352-B406-000000008C02}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:45.380{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6243E12C0766E5EC524B187A1CD3532,SHA256=564AB901057D335B0971780381937ECB5717ED2145DA9496E318BAC53FD24F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:45.235{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D18BE9B055093ABCF1B95D1AE7DA217,SHA256=09EA61BB1D90A34A09BD4BCA14B2C4F614A2893F4BCB346A87BAED7601C457AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7CCE-6352-B606-000000008C02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7CCE-6352-B606-000000008C02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7CCE-6352-B606-000000008C02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.779{EFF5EEA8-7CCE-6352-B606-000000008C02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98AC3F8CF8CBE6D66601008B5D7BF66,SHA256=F46CB4F7D9DBD92648FDACF98831BA8BAAC58535E7B80CF21FD37D8244629F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1669D1FE62D7360A6020F005606034A,SHA256=5BA12EEBBF8D411418A14D90DCE8DFD1BBBF36696E21EC5F5CFF63D832DFCD92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.776{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2F11A761E7A780480C41655AC0282929,SHA256=17A3637A57C72BF4F007853B43751645C9342177605BEF740FD41458A8C3BDA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.417{EFF5EEA8-7CCE-6352-B506-000000008C02}3364692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.958{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.955{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.953{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.948{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.946{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.943{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.940{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.937{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.934{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.932{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.929{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.926{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.923{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.921{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.918{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.915{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.913{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.910{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.907{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.904{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.895{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.891{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.889{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.885{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.881{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.877{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.875{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.874{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.872{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.860{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.857{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.852{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.848{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.845{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.843{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.833{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.785{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.783{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.780{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.763{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.753{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.713{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.705{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.697{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.693{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.692{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.689{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.687{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.686{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.684{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.683{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000359296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.319{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4E66DC219D5B0D64C60D30A4E800BF,SHA256=1A7EFF4336E883692DC586348D4CC7BB6D39F3648ED3D64801CFAD736C1DD32A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7CCE-6352-B506-000000008C02}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7CCE-6352-B506-000000008C02}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.240{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7CCE-6352-B506-000000008C02}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.239{EFF5EEA8-7CCE-6352-B506-000000008C02}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000359295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.169{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.168{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000359293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:46.166{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000238240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.640{EFF5EEA8-7CCF-6352-B706-000000008C02}4923560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000238239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.471{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3FA6B756AC1F535656398256DC74F8,SHA256=A6A2939D9FCD158FA5B17B888085CB5FF05E864A2FAEBB0E9939D1C128FB944D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7CCF-6352-B706-000000008C02}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7CCF-6352-B706-000000008C02}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7CCF-6352-B706-000000008C02}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:47.440{EFF5EEA8-7CCF-6352-B706-000000008C02}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000359349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:47.335{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A249FEF6953461857AC7AD2BEF235C7E,SHA256=330298492CE144CB2934B38303D2C92E4BAA6931A47A6E30210538DAA75F9DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:47.070{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB076F3FF83913225C08B0D9D22571E7,SHA256=95CABA499CD9F60A01B5D4A9F181A3E4B8512CDEDC93C292F14F7832ACEEE5E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.954{EFF5EEA8-7CD0-6352-B906-000000008C02}32602204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000238267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:46.365{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52306-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000238266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7CD0-6352-B906-000000008C02}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7CD0-6352-B906-000000008C02}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.792{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7CD0-6352-B906-000000008C02}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.793{EFF5EEA8-7CD0-6352-B906-000000008C02}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000359350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:48.436{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72F16C40AAED11111990A87662AEAB4,SHA256=694A877DDCD44F01BCC8F8D9DB14631113E396B5C44906A761F4C29E4D73DD3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7CD0-6352-B806-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7CD0-6352-B806-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.120{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7CD0-6352-B806-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:48.121{EFF5EEA8-7CD0-6352-B806-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.983{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=944301A52E92F67BAEB847F4EDDC2AC5,SHA256=5FBADB42720A712FF0F1588458EE12138B9FA599B438B0AF761493C5985A99B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.967{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34948C40CA0E93D1569C09506766B368,SHA256=3AF0EB0DA41BDF3E73F1831339075F42CC7CD4448AE4A8535790D0035BFC053A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:49.536{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343F1B96CC9EBE98A2D6A19A2BE03304,SHA256=6C990EF8317A9531B906237AF74C1FA2F5D09204E88E1AA28A59DD3F8D3C18D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7CD1-6352-BA06-000000008C02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7CD1-6352-BA06-000000008C02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.352{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7CD1-6352-BA06-000000008C02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.353{EFF5EEA8-7CD1-6352-BA06-000000008C02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:49.001{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F7CD0A884992F799AD684AFEE43EBC4,SHA256=0CD0F474F876926878A64CAD72946F45B87A75547EA6B53A8EAD623A53821694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:50.741{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-217MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:50.591{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2ABD96425E05AFC3AABCE6089B56324,SHA256=1C2693B7AC9666F94AC7AD91B42D87623FD3880BBD6198DE1F39387E26F8E450,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:47.782{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59954-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:51.740{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-218MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:51.670{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8131CEC2AF77E12016811E42C260D8,SHA256=C20335C37FE2670554218D62CCF7076B1C7C2BCFF89EE68FF88D79D05935A2A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.982{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.980{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.975{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.973{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.971{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.967{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.961{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.957{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.947{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.936{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.897{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.886{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.870{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.849{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.844{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.837{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.831{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.824{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.817{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.813{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000238285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:51.039{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B06B934421BD7CC2B71387697A3E4C,SHA256=99F783A4F80FE6291A62329AD6AC1209B4CC2C0858667FE4159BBF867479AD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:52.758{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EB9FF9EBC570900769E3350D855992,SHA256=193879EA41307FDE1EBC383DD67729C99792417507B6CE2B2B0928DA5B052AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:52.305{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AD5D8D88FFAA81158FF05B3FA2DE5B,SHA256=4E7AC65657E3C8DB97B06926A9551E97EC3B8136FF30E6561AC924041C119884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:53.868{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26E51CA537BA2F2BBE9899D95421C5F,SHA256=0F190AFC4D6A9F1945E5334B533BD58A776B91F9E31746FA30FDFC98BC1527DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:53.400{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7A914B8F2FFC0EB87F2AC1DD58B70F,SHA256=4FAD607227EF252623640A99CB6E962612C101EF14771C418AE2CDAEED2BCF77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:53.475{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=56A91B9B7E6A62DA2A7CACA465EEB737,SHA256=70E4630B32AF0A3F116E4887FA3022E7337AF5758C32C49AC3F13849FB021136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:54.963{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72ABBAFD0442AB1331A3E8B8AE283EA,SHA256=46E3E8278A5C7589E1F118505F21C1180069263242409CE400D35101B45D4F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:54.478{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BF2EA0DC975C99E4D0ED6FAF26805C,SHA256=65BF59F4AECC2E83DC07EB2682AA49DE0299B6D765164CB0A397BE65C9F5DA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:55.562{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FACD7F4371E76FA20355EF9BFF0B70,SHA256=42D5CB1E352AE2CB7F7268F64261F3B2F9C828CE50E660CC7F3CECE46AD3515B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:53.729{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59955-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000238318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:52.341{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52307-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:56.643{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB57BD06DEBAD4C4F6FB7AB9A1B8B6DD,SHA256=DA6FFEE158A87EE87DFCED7A60DE7DA7F307363C99C3192E050F4408886482E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:56.092{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C5EF07CD9D487FA6C75BA611CAEEAE,SHA256=9466CCD82C0A378A8FE1D702093A910D9D0F72BB3E9A55DF40C169345A3048B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:57.725{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C9C0A20FAD02C119423741F38A1A7B,SHA256=614F98526D882059BB514AB25710C68AD47A38F8E339371C82A6F19E72F2D994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:57.117{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ADBA82FEBDDA1A49FE6916E73AEE16,SHA256=638FE3C11EBEF4F561D39593BE884EA1F38632B885F3DD11EE8C0A073C0A2793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:58.824{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A4DB5D8FA64E4676184297CD8BBB92,SHA256=B471CC8C402EC9EBF51A47308C2DE11BE18CF7A1FB88AE9FA9DC660F69A9CFA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:58.215{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610F5210F75E4539A39B9AF3FCE322D1,SHA256=9AAB88C0D6BBFDB478325FB48EE646024FDC8F532937ECF0995C107950EEA29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:59.907{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AE78A3FA290A62664567003652A5DC,SHA256=47AB867BB7F6B81E397CDAE9A8B45FABE36A04EFE5B499971337C19D1B3E8D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:59.279{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A69461A710501353B193E22FA433C4,SHA256=0F950D40051B0F00CF7991CDFA541646EFF68CDB061AD2E97BB175CF5D6D55B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:00.996{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1E6EB373E6FC769576E238ED25287E,SHA256=A5E27F0CD0A229DE0FA2CA4CCB94D7F442236D492DCF37E161BBEB647E14A202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:00.918{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1B3CBA3E6B905EA9F8B4FC718CB1FC81,SHA256=2B371DD2E360AE155681AD8B2F54B7E813281F2E305D34DF91A5BDCE983F172E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:00.380{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD527B4F1E3FDF246A52EB6E76199B4F,SHA256=57F400E6DFEC15D8FE9671885D65ECE5273F0210A4583100FA4A4B587B48151B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:04:58.257{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52308-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000359369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:04:58.886{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59956-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:01.481{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703D99F8104021E5D67125116977E8E3,SHA256=6A123DD53A761AABA11978A404007E4D91CCA681FEFE1240A8CADFBD6FEFB166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:02.569{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8ECD935371057D8955400D744A7D681,SHA256=A4206EDADCD171BC50D402C79E62AC871BC4F0D9B0D3D0EB809667336D0A90FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:02.065{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451B2EAC696E90182E26ADB766546EBA,SHA256=D30C8B0E59DD0E861C655E7DCC03908C2679373C209D63FCB1C2DC587C8009F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.974{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=780F7A8E666AEF3B704ECBE6C24E747B,SHA256=30D9F621EC7C764F2DA9F5BBDE59FE716420853BB9DA7230D90495E8DB54BD37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.820{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.811{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.809{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.802{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.800{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.788{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.774{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.770{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.767{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.761{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.752{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.736{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.710{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.693{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.680{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000359379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.670{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04E6B088AF74ADEB18858014A473D8D,SHA256=76E46348195EF21BACFD38C415AEC4DE29AD890E4B55623631552ED986704FF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.667{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.626{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.610{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.600{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.590{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.580{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000238327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:03.252{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040F3E0669E4742C20B17A3BE19917DD,SHA256=24B792EB97928A282ABCFEFF88790B8F9AC9E7612C7610D29DAF374510A768D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.542{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:03.539{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000238328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:04.334{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A91EF6286B566381259D9F5C461A18,SHA256=1E1C6D938F5D5862691072487E02C013838F8696029401EAD0A87EB0D042AE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:04.621{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB5561CAA8552DDEED8B11420C1AC5A,SHA256=3B17EEA5ADFE317F9D1DFAFE950AABD33AC381125D9AE22F17308E95188C4454,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:04.240{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:04.237{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000238330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:05.966{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A1F75F7141B129DC77164B2AA61F4C1E,SHA256=F9A7752E811A18661CBD106D16C80B4592DD0E69416DDE02950D4798E5439AFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:05.404{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C57B392D8358A24B1A6177E8F1B5A57,SHA256=06AD2D771C50C28EEFDAF221832CD495659B4DB9445F88F4464DE15D946984E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:05.685{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B83F8C296C2545391D26B5F834EDB9,SHA256=6F776E3AD145BDECA0C9763362F953DFE4CE28BA93393064DDB4034EB75B131A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:06.510{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988AD135BF9B00A640B1BED8899FECFA,SHA256=EED8EAA8C983117CD2855D6076A7C96EB2042EC172BCF7B764696E7F52AAC006,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.988{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.986{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.979{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.976{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.972{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.970{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.953{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.894{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.892{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.887{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.867{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.855{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.828{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.822{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.811{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.804{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.800{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.797{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.793{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.792{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.789{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.788{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000359404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.754{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A19AB6796B9F4E34C3867E49B8FBE61,SHA256=26510CBC950019E5D4016774A40137BA8796DC200845E9C13C8F15DF8E14BD7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:03.431{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52309-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000359403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:04.691{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59957-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000359402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.273{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.272{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:06.269{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000238333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:07.584{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC44DC9BAA7AD9894BF32E2D64BEE91,SHA256=C1680FDC8E4219DD69AF9EAB53B5C832F1964B265006FFED7104DF82D2A2223C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.857{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D2583BCFF5F2C5F9019F509D7DD2DC,SHA256=D220564172EBFA64B70A27685C5F71C5378F41AF8807D13C63A795A827067DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.324{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F457E73F8C7FC2ADC9643B9376993FC,SHA256=72C3AE71784C5BBB13881F3CAF26B809760736ABD238A0CD82C27EB121DE8441,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.101{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.098{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.095{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.091{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.088{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.086{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.083{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.079{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.076{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.073{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.069{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.067{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.064{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.063{30B46F62-48CF-6352-9A00-000000008B02}48049760C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.063{30B46F62-48CF-6352-9A00-000000008B02}48049760C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.063{30B46F62-48CF-6352-9A00-000000008B02}48049760C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.060{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.057{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.057{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.057{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.057{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.056{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.052{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.049{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.046{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.044{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.039{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.036{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.031{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.027{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.022{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.018{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.014{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.008{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.007{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000359427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:07.006{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 23542300x8000000000000000238334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:08.670{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2C5BD43A34198D9327EC94F1A72601,SHA256=AFD18079D991EEF576F7A1B4572D46BBBABA22D1698B62F98AE3A6AAC15E9422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:08.945{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BAE0AF835F988804C66F481B1C50DE,SHA256=C4A99D073EEB9666011BCC4BA71ACA2F666E392DE61AC1D28AC8FD2700603D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:09.733{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA1B2CFED20D29E24D7E7C4A93F5E42,SHA256=0C5494A3AECF837988DE78F75C12BFD09B6911B957D75F59A30C22C72DF8B640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:10.816{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5335F56D7376311F8758DBFAC7DF683F,SHA256=AA91EB4CB666BE2FD3D0F01CDED7606FFCEFDD27BC9EB2201C6E66092831434F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:10.026{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27465B32CAE8134ACB24785E86231D0D,SHA256=FD6F51AF09FF7EDDE63CFB9D164163052A8C9E497B9D7EB2FE030F976C8FDB6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.997{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.995{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.992{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.989{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.981{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.978{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.976{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.968{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.966{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.951{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.940{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.932{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.924{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.912{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.906{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000238345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.901{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C294C2596644E32764B56E8F33283AF7,SHA256=119C16898E3AD97FF5D32758689E0F133506238E290918808D8CFFE9AF0E68F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.884{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.877{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.870{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.863{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.851{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.837{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.835{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 354300x8000000000000000238337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:09.354{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52310-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000359468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:09.781{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59958-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:11.227{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81082F3B39C8D56711CE9EB86BCF1D8F,SHA256=5E3A8D625DF31B0A1749E7B7E63DEB46AAA238862B877471E557D4B8C92E57F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:12.012{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:12.009{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:12.007{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:12.005{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:12.004{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:12.001{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000238361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:11.998{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000359471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:12.746{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:12.746{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000359469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:12.279{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08BE6420CA0C39926393EDE78BFFC64,SHA256=3AFAA5B54F38FDFE39BE31201605C9494520102CEEEAB096F9798FF98B6B804F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:13.435{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EF2A63333AEBC81F9220881516F44A,SHA256=3FDAD9C86CE5752CE7B8D4639CBAFCF35D0DC2AD417A6D120106495D7C4386E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:13.362{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B376071C35781A53D6D9843DB13A2D,SHA256=2A666ADBFE1A23194B2F41DABB65DCA9D6B51008D868A9920BD495BFE5AD22CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:14.473{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD0A7ACBC433C8A9EF6ADFE8E99849C,SHA256=1B056E12BAD137221A1BE627D65A8C65405ABA742CE966548D84B436E27CF9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:14.473{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67809B1A24C8F207B10BAD1486208BE8,SHA256=6DA1AD8F65E72FD80E3D41837F7020B10AB19E441C287BCD0C71930A4500D540,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:14.421{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000359476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:15.664{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1611D400BF9242917A95635DABDBAD67,SHA256=4928F57808F722A5D9A4C27C9EE621AC11B1EA26CC16AD189A73988D3B170007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:15.545{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FC60E2293A47C9676F0351AB650985,SHA256=AE22D7DF611AC896B7308CC297026CBECA4ED58B6BB1F9EFF56434A41C413437,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:15.492{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:15.476{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000359478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:16.835{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B755A443F7482A3779ACC34E776A44,SHA256=6C5E530687CA01A0C17F1E96733290F304E55DED79AD5C32D25DD238DC1F1355,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:14.871{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59959-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:16.638{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02654F05ED5B3AE5DDCC4DA62DF144F,SHA256=4F687171CB966779E868D069DA45B1B3393A82FD07A1F22C1DADD04031319669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:17.914{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CCBA65DDF8B9575AC5CF6699EC6BE3,SHA256=25A56A638751A2F956115EE7CDE64A4E23F83033D71FD759203024CBAE725583,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:15.344{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52311-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:17.716{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C84BEC5DF8802865FEA663BD392BE7C,SHA256=8968A5146C1A8E99422CEB884A931907330D3D76CA482B36D5EA85D1D32FDA76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:17.635{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:17.635{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000359482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:18.936{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D690325D369E6BF7435352F34F1CE74,SHA256=5E9584825F86067C2612352C66538DB0A685084B15F4791913B2820847D6B3C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:18.811{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C99E29D6A2E692B9A0D64EDF9E26425,SHA256=803DB7002A0D0E073B01868CEDA434AB18ED1ABA58EDED738748E51AC5146843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:19.903{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CDCEBC08BC27E26BF05475CCFD6D3F,SHA256=7F9DD9C810261C0DCD1743E74CA5F857F6AE9E01D2D4142241327F6EF3073CE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:19.536{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:19.536{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000238376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:19.170{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=015D2A4EBACB9BF38DD891D18CFE698D,SHA256=ECD76E317712A05B3F2305813165087CCD31A7602DC87A3AFB85FB28AADC626C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:20.991{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701F8D11C40A90B1FDD61325FC600248,SHA256=92D53E88D0F2CB1441B1F0D53EFAB2C93C9CF91E962A717E958C12DA95CDB0FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:20.021{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01154651F90839F72B4F04C66C82FE4,SHA256=840A9C2062F1668138F1C8A9905F119BF076696D7666B500F2B1FCD5157BE3E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:21.482{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:21.482{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000359486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:21.101{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4110D8F790FBDEE5DB3C156560EFDD,SHA256=89289B2942B733502E7009EE04F622A7B15C80E86C41F92EB00E503DD4FD085C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:20.477{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52312-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:22.075{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133A354A2D7DA318FD33FDA0015E9C9E,SHA256=EB7746BB7B8118C2141D5506661B3602A3D8185D63E3D94066668542495725A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:20.677{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59960-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000359514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:20.652{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.205.25.54ec2-34-205-25-54.compute-1.amazonaws.com56445-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local3389ms-wbt-server 10341000x8000000000000000359513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.719{30B46F62-48CF-6352-9A00-000000008B02}48045012C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.719{30B46F62-48CF-6352-9A00-000000008B02}48045012C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.719{30B46F62-48CF-6352-9A00-000000008B02}48045012C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.703{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.703{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.695{30B46F62-48CF-6352-9A00-000000008B02}48049760C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.695{30B46F62-48CF-6352-9A00-000000008B02}48049760C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.695{30B46F62-48CF-6352-9A00-000000008B02}48049760C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.694{30B46F62-48CF-6352-9A00-000000008B02}48049760C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.694{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.693{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.693{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.693{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.672{30B46F62-485E-6352-1000-000000008B02}30892C:\Windows\system32\svchost.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.672{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.672{30B46F62-7CF2-6352-FA07-000000008B02}65686620C:\Windows\system32\conhost.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.656{30B46F62-48CD-6352-8900-000000008B02}3116760C:\Windows\system32\csrss.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.656{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.656{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.656{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.656{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.656{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.656{30B46F62-48CF-6352-9A00-000000008B02}48044740C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+220654|C:\Windows\System32\windows.storage.dll+14d60e|C:\Windows\System32\windows.storage.dll+14d302|C:\Windows\System32\SHELL32.dll+100749|C:\Windows\System32\SHELL32.dll+ff2f6|C:\Windows\System32\SHELL32.dll+f1bc9|C:\Windows\System32\SHELL32.dll+aefce|C:\Windows\System32\SHELL32.dll+169ec0|C:\Windows\System32\SHELL32.dll+1665ec|C:\Windows\System32\SHELL32.dll+199ac0|C:\Windows\System32\SHELL32.dll+166786|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000359490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.656{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000359489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:22.188{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC916C2AFFE8C972AA2DDE910C5180E,SHA256=E43B8DD7E2B3D6E7FE1DD781DED6612F734E64403C343BF6DCFCA4C3EA24688E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:23.164{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E166A81CAA673896752123A7520DCE54,SHA256=DBFF50CEA66F9183E3FBA24A0FA02AFCC3FD37863FEADDC3FA25C45F6EC1B387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.980{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.973{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.969{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.960{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.955{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.938{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.930{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.924{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.911{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.908{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.897{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.887{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.868{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.849{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.829{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.814{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.730{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.698{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000359534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.679{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02E46E0408DA5545EE643E8D9DB54C9A,SHA256=47397E055A8F9F4761D44D3AAD4F954CB9671B49A65E8085E055D7E10735724E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.674{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.652{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.636{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.559{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.559{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.559{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.558{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.557{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.556{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.556{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.554{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.543{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.543{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.543{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.542{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.542{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.542{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000359516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:23.273{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A564EE84A03D60769CD5D9536B4ADF,SHA256=E5031C4F6A259877E199C696679B61BF8E81BBBA6D06DB01CDC6BEC3AD81D240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:24.481{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:24.477{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000359553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:24.429{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F2C5DB3596C25D4F8E73E1B6B0391C,SHA256=561D6630899A87527D89E9C42FB7031A2E6C7FF55BFD458414E31A11467BB1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:24.269{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA3B61F1E97B7B8D6A8FD46776E5991,SHA256=53790E7E7432ED5B0883C512E4A7CCB2CEC382D476277A936B6E840974E8D48D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:25.501{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529FA14291645FBBB23E051BDDD5406E,SHA256=57D652DB3E88476FA6C935C5F640C432EF306E9AFA755C256B544139E097FFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:25.333{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4F61D3982A0F4BF5EA71C668F1F709,SHA256=4901F4615EAE9243B6B6E859E3AE5EB10F51BA9AF8B87AE549A980AF487CBEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:26.422{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E331E5B8CC6530AB0D8C39662F6B7F98,SHA256=B69832AA8369A4B0FD0F1C33C0A9AA22BB4FBC1C47CB7467E31A13473CE4190F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:24.691{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local61636- 354300x8000000000000000359566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:24.690{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50175- 354300x8000000000000000359565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:24.689{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50201- 23542300x8000000000000000359564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:26.582{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C4D6194C1CE9B6088C542EF5532D5F,SHA256=563A391AA7D6E1F49F523097744D5B95F075419804A3DD3E95426E67D3787203,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:26.512{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:26.511{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:26.509{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:26.026{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:26.026{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:26.026{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:26.012{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.993{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.993{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.993{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.993{30B46F62-485E-6352-0C00-000000008B02}8326504C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.993{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7CF7-6352-FB07-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.993{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CF7-6352-FB07-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.994{30B46F62-7CF7-6352-FB07-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000359624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:25.816{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59961-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000359623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:24.691{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59789- 23542300x8000000000000000359622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.577{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715F4E9DDC3DEDE6A278E9E237220B81,SHA256=5F8983D1FF5F7F51FF1F66843711EC9500892165E955308009F1A289EFEAB4BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.577{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1D0680A9877EEE19D0417922F0FEF1,SHA256=1F3A96AF9C53B3A7C869A60807819E83E514AAF134CEC6E8E7D97F6E81BCF607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:27.509{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDA55F28B63FF676A3C643AF7EA1DF0,SHA256=AFB4FAD234CF48392E1AC358388E8E682B4083BB3D25C2E17FA908AFAAF8008D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.326{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.325{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.323{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.320{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.318{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.316{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.313{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.310{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.307{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.304{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.302{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.296{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.292{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.289{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.287{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.284{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.282{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.279{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.274{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.271{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.268{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.265{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.262{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.258{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.255{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.252{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.249{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.246{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.243{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.242{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.241{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.229{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.221{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.217{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.214{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.211{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.209{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.196{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.151{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.150{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.147{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.122{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.111{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.077{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.070{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.052{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.046{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.044{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.038{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.035{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.031{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.029{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.028{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000359643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:28.863{30B46F62-7CF8-6352-FC07-000000008B02}55849912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000359642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:28.726{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=480ED2F02B47F21C74687F054E9B730A,SHA256=F41C0996A6304FC42DC0E0F82876FAF6EA90AC0B1F05A4642E597AEDD25DD2D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:28.669{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A299B8E74A56082982071AA4A9AEE3B9,SHA256=EFBA937D4B8FCE0C0C0C4C1733645BA34EBABC8D0E3046D362F790D82540CAC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:28.664{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CF8-6352-FC07-000000008B02}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:28.662{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:28.662{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:28.661{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:28.661{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:28.661{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7CF8-6352-FC07-000000008B02}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:28.661{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CF8-6352-FC07-000000008B02}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:28.660{30B46F62-7CF8-6352-FC07-000000008B02}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:28.613{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED26B00C76FB38676F3674BAECC1D30D,SHA256=496AE5DDBA71A6B6C94D4374B123A76E77E69853755C33ADDFEF7BF95B70B15D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:27.993{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CF7-6352-FB07-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000238388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:29.710{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2B07F7676DD2358B0F07504510165C,SHA256=28A9240012B543EB091E8898422345359FD42804E13362C7E8453B826A317033,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.864{30B46F62-48CF-6352-9A00-000000008B02}48044740C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8fad|C:\Windows\System32\SHELL32.dll+283a4e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000359660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.864{30B46F62-48CF-6352-9A00-000000008B02}48044740C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8fad|C:\Windows\System32\SHELL32.dll+283a4e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 23542300x8000000000000000359659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.763{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D648709C9BA8091415A5E8C07EA2ADC,SHA256=785AE0E26B0F85B4128688A10CBEB36EB96FA92FDBE53954B2647C406BE83992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.726{30B46F62-485E-6352-1000-000000008B02}30892C:\Windows\system32\svchost.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.726{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.711{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.711{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.711{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.711{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.347{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CF9-6352-FD07-000000008B02}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.347{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.347{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.347{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.347{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.347{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7CF9-6352-FD07-000000008B02}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.347{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CF9-6352-FD07-000000008B02}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.348{30B46F62-7CF9-6352-FD07-000000008B02}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000359644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:29.046{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0385FC2D45CC00DE0826F64373FAC999,SHA256=833AA43F91DE807F4461A7EDC3AEC224D008ADA07372787DD6351FFC0FD80F98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:26.277{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52313-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:30.812{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B35DE9A607268F881B46782D323EDB,SHA256=BD23643B3A3ABECBFB8BDBDFDCCA50222FDEDFC298BA95B5F30DF9143F52B790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:30.864{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BC8F4257B0892065C72B417D42F415,SHA256=4C0BFD5D3D50D361355273AA49B4958C3742FE523D0D837790583565658FF100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:30.828{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CB302510AF8A1A0D3B51C788E8C0DE3E,SHA256=752C6100F1B415CD695FB6AB6CC8C85E76EA620637A2B711A78C61E89169D7AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:30.779{30B46F62-48CF-6352-9A00-000000008B02}48045012C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:30.779{30B46F62-48CF-6352-9A00-000000008B02}48045012C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:30.779{30B46F62-48CF-6352-9A00-000000008B02}48045012C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:30.779{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:30.779{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:30.779{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:30.779{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:30.194{30B46F62-48CF-6352-9A00-000000008B02}48044740C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8fad|C:\Windows\System32\SHELL32.dll+283a4e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000359662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:30.194{30B46F62-48CF-6352-9A00-000000008B02}48044740C:\Windows\Explorer.EXE{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8fad|C:\Windows\System32\SHELL32.dll+283a4e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000238419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.983{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.980{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.978{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.976{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.975{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.973{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.971{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.962{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.952{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.940{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.937{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000238402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.914{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D9FEA168375634A3B27D7E29A291B9,SHA256=769DCABB70B6020368FF254CF84068864CF29BAB2F6B391EF5F117E78AA3C519,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.910{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.879{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.841{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.827{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.817{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000359710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.995{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF3D12F4A9A04114F59BF9B30B0BFE6,SHA256=BB55EFD43A3D21699490BFB4567DFFBC99B107264FADB5BAF06F43E24236C8DD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000359709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=7CDE029924879D9CD856A99DD1943644B72808CBCDEA430C698F63C4A405A8AA 13241300x8000000000000000359708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x8000000000000000359707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local2022-10-21 11:05:31.812C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=7CDE029924879D9CD856A99DD1943644B72808CBCDEA430C698F63C4A405A8AA 13241300x8000000000000000359706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000359705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000359704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000359703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000359702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000359701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-DeleteValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000359700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-DeleteValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000359699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-DeleteValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000359698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-DeleteValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000359697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-DeleteValue2022-10-21 11:05:31.812{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000359696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.812{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.722{30B46F62-7CF2-6352-FA07-000000008B02}65686620C:\Windows\system32\conhost.exe{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.719{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.719{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.719{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.719{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.719{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.718{30B46F62-7CF2-6352-F907-000000008B02}55085696C:\Windows\system32\cmd.exe{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.662{30B46F62-7CFB-6352-0008-000000008B02}7628C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 10341000x8000000000000000359687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.633{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.633{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.633{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.632{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.632{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.632{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF9-6352-FE07-000000008B02}6936C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.549{30B46F62-7CFB-6352-FF07-000000008B02}17248092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.295{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CFB-6352-FF07-000000008B02}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.295{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.295{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.295{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.295{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.295{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7CFB-6352-FF07-000000008B02}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.295{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CFB-6352-FF07-000000008B02}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.295{30B46F62-7CFB-6352-FF07-000000008B02}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000359711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:32.933{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D654B45819E36F0ACEA36C4450AAB0B,SHA256=1777C41BB3F618879D59DD1C23379875A7EF4FAEAF15A7650FDD500844B32503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:33.082{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:33.004{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC993F865ED509A22EBD3966C67208A,SHA256=0EF8BBB461766CF66C98AE870F6AF7A9667DAC5BFDCC196B76C83A09485DD46A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000359773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.852{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000359772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.852{30B46F62-7CFD-6352-0108-000000008B02}99087444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000359771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.852{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000359770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.852{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000359769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.688{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.687{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.687{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.685{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.685{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.685{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 734700x8000000000000000359763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.675{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000359762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.674{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000359761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.674{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000359760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.671{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000359759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.668{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000359758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.668{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000359757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.667{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000359756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.667{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000359755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000359754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000359753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000359752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000359751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000359750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000359749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000359748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000359747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000359746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000359745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000359744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000359743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000359742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000359741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000359740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000359739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000359738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000359737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000359736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000359735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000359734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000359733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000359732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000359731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000359730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000359729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000359728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000359727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000359726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000359725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000359724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000359723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.648{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.650{30B46F62-7CFD-6352-0108-000000008B02}9908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000359716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:33.565{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000359715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:33.565{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 13241300x8000000000000000359714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:33.565{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 13241300x8000000000000000359713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:33.549{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500_Classes\Local Settings\MuiCache\169\52C64B7E\LanguageListBinary Data 23542300x8000000000000000359712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.080{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000359892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.982{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000359891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.982{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000359890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.982{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000359889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.982{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000359888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.982{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000359887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.982{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000359886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.982{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000359885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000359884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000359883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000359882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000359881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000359880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000359879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000359878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000359877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000359876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000359875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000359874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000359873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000359872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000359871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000359870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000359869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000359868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000359867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000359866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000359865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000359864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000359863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000359862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000359861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000359860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000359859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000359858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000359857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000359856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000359855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000359854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000359853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000359852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000359850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000359849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.966{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.967{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000359844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:34.775{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000359843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:34.775{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Abgrcnq++\abgrcnq++.rkrBinary Data 13241300x8000000000000000359842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:34.775{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 23542300x8000000000000000359841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.770{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933B67B3C2C847F8EBFB7855752B1880,SHA256=EB7F1243AECB5F3C10F8150EA791B448D44C1D6B8D0CF698B7C1EEFA6BC9321D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.686{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B27C87AE7A37D6C5B38E35899D3EE55B,SHA256=CE0CF6EFADEC08818D7A095C13484E9CB325BDB1E9CC6A29A8C6BDA4B749C0A1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000359839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:34.670{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000359838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:34.670{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x8000000000000000359837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.669{30B46F62-48CF-6352-9A00-000000008B02}48045012C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.669{30B46F62-48CF-6352-9A00-000000008B02}48045012C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000238423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:31.419{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52314-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:34.112{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D53697A3C599C934F58D8D4B4D7BD9,SHA256=700E1B4128275FB6593833FACF157C543946B1D32835AD81A4CC13AECDD15527,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.669{30B46F62-48CF-6352-9A00-000000008B02}48045012C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000359834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:34.669{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 13241300x8000000000000000359833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:34.650{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500_Classes\Local Settings\MuiCache\169\52C64B7E\LanguageListBinary Data 10341000x8000000000000000359832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.650{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.650{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.650{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.650{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000359828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.566{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000359827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.566{30B46F62-7CFE-6352-0208-000000008B02}26049452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000359826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.550{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000359825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.550{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000359824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.334{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000359823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.334{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000359822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.334{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000359821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.334{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000359820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.329{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000359819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.329{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000359818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.329{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000359817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.329{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000359816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000359815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000359814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000359813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000359812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000359811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000359810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000359809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000359808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000359807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000359806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000359805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000359804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000359803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000359802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000359801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000359800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000359799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000359798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000359797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000359796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000359795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000359794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000359793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000359792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000359791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000359790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000359789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000359788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000359787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000359786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000359785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000359784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000359783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.313{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.314{30B46F62-7CFE-6352-0208-000000008B02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000359776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.080{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1402FEA52A7E7FFCE2AF0840DF238F3,SHA256=8222B38E092A5DB988F432A2361BA0B9D9F2E5B70D639B3BD64CE3A7BCBAFED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:34.080{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7CF374128ABD5FCEC5815F19538676,SHA256=903989802DA9E12F40A2B7482B3D36230B786DD3E7AC6F8DFB924483139ADA53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:31.734{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59962-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:35.206{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCD843C02FE7B6B836A22856237889B,SHA256=1AD750AC264484B92B8B9B4D60D4172B40BC16818685DE9B6F6EDA3C478C328A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:32.311{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52315-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000359899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:35.438{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861AC78B788F86417BC6C7E54B845EE3,SHA256=EE88E2BB67949774D96D1BA9CD5E86A249CA8BA69CD670F47469503D902B012A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000359898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:35.240{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000359897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:35.238{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000359896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:35.237{30B46F62-7CFE-6352-0308-000000008B02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000359895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.288{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59964-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000359894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:33.288{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59964-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000359893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:32.704{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59963-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 13241300x8000000000000000359904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:36.851{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000359903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:36.851{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000359902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:36.807{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500_Classes\Local Settings\MuiCache\169\52C64B7E\LanguageListBinary Data 13241300x8000000000000000359901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:36.807{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500_Classes\Local Settings\MuiCache\169\52C64B7E\LanguageListBinary Data 23542300x8000000000000000359900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:36.076{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C25FFEAC4364AFC8F619FA7AD91F60A,SHA256=7BCED4FDF6D20F4D416DB4B29AD47AB96B435273FEB07B3B1DD038E97022077C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:36.186{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9A97DCBA14C81ABBAD8C75935E2024,SHA256=BF41E00CA8C6A84A8A4843213BFD0542EEB626336194064C69598390E2F929B3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000359907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:37.792{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000359906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:37.792{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x8000000000000000359905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:37.176{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D79B23CE7748DBB0224BDC20C576D7C,SHA256=3DFAD0CF2A0E4581742A56A86DE2B8AC67F7786108A8D55775E099927115B2B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:37.289{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0913C70D5A9F8673E195B332226C52,SHA256=19F3C2C1B4277D5273CBA23AB8D13AB5ABBF05454A3670A000E86698D97864BE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000359913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:38.924{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000359912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:38.924{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000359911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:38.923{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListExBinary Data 13241300x8000000000000000359910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:38.923{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000359909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:38.923{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 23542300x8000000000000000359908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:38.292{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79277ED508C3EF59F07BA900D2BEB731,SHA256=5633F556195F4D55996FBF264FC1C3974AB8C45F3DF1CE6F342C657F9A68B331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:38.384{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED100C6B2C17FACF993E510D23866013,SHA256=2E3FF8D3F46AEA7D3CDD1389FBF88780E8E906EAD5F412C094AAC962224C3713,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000359915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:37.695{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59965-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:39.377{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBF3D496F824A3E0F3229D59EB5779B,SHA256=D807D2FCB2ECB5F5B467A855A261B2A32D8B8D66CA63C6E5D0AB07C888E7BD77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:39.495{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3179F2179B13AE1A6E9C01E7467B11E1,SHA256=74564AB63303858A3CBF233BCC077356A7A227A295AED40410993FE8AF8A679A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:37.357{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52316-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000359916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:40.473{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D464A569CB67BB39504C4621DF1C5F,SHA256=0F68D74956A092E071A3821114A2624FC0D30BFFD8B590CEA693FBF3C9E1552E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:40.570{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4AD314855AF4B64380F683C0822717,SHA256=56B8266FC8D2BFE8D8EA43BC67683ED118C6A52ECFA161999C9F37579635CBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:40.485{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-218MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:41.660{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2057A84A9C902ADB7E5204772D5EA8E,SHA256=167724F3669DE43D918C6ACD022158C3C0BEDCFDA5EA1935FA414641AE0C76B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000359953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.873{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=06E4C87885888BCCE1CCC6A15C38BF93,SHA256=ED71CBD22523DFE135606423C60C3B0114A5103D350D5D0E266F2E61919422FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000359952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.789{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.789{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.789{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.770{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.770{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000359947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.769{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 734700x8000000000000000359946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.694{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=40609845B5F71A923CADA8E9BE0DBCD3,SHA256=4A37BC90B133F9E768570F8DD15ACFB242D766D91161ED927EB6D059E8A1E026,IMPHASH=C3A947E86E0B67FAA3B0B56CC5C7BCA6trueMicrosoft WindowsValid 734700x8000000000000000359945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.679{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000359944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.679{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E7250A347FA497C9A44FA84493C36B4C,SHA256=3187F14835C7B9184DC17D69310E180A48A11DB29101F2866B84B1708252B121,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000359943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.679{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E7250A347FA497C9A44FA84493C36B4C,SHA256=3187F14835C7B9184DC17D69310E180A48A11DB29101F2866B84B1708252B121,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000359942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.710{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0D,IMPHASH=1B7EF7A158566FE5E056CF936C1F0BA9trueMicrosoft WindowsValid 734700x8000000000000000359941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.679{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000359940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.658{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000359939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.679{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000359938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.679{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000359937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.658{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=008C343519B7638AEF1FBFD9DF26BC22,SHA256=9C5B8ED8542367D1DC5625AD5544C68ABB63C80887F2F448506581B32AA34CE5,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000359936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.679{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000359935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.641{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeD:\calc.exe6.1.7601.17514 (win7sp1_rtm.101119-1850)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEMD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1false-Unavailable 13241300x8000000000000000359934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:41.641{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{62A0ADB8-4F1D-4419-AE53-14A89297AF22}\LaunchCountDWORD (0x00000001) 13241300x8000000000000000359933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:41.641{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{62A0ADB8-4F1D-4419-AE53-14A89297AF22}\AppIdD:\calc.exe 13241300x8000000000000000359932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:41.641{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{62A0ADB8-4F1D-4419-AE53-14A89297AF22}\LastAccessedTimeQWORD (0x01d8e53d-0x0f17bf90) 13241300x8000000000000000359931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:41.641{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000359930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:41.641{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q:\pnyp.rkrBinary Data 734700x8000000000000000359929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.641{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000359928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.641{30B46F62-485E-6352-1300-000000008B02}8486564C:\Windows\System32\svchost.exe{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000359927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:41.641{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\SIGN.MEDIA=7D8772 calc.exeBinary Data 10341000x8000000000000000359926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.641{30B46F62-485E-6352-1300-000000008B02}8485520C:\Windows\System32\svchost.exe{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.641{30B46F62-485E-6352-1300-000000008B02}8485520C:\Windows\System32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.625{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.625{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.625{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.625{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.625{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.625{30B46F62-48CF-6352-9A00-000000008B02}48045240C:\Windows\Explorer.EXE{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\windows.storage.dll+14d60e|C:\Windows\System32\windows.storage.dll+14d302|C:\Windows\System32\SHELL32.dll+100749|C:\Windows\System32\SHELL32.dll+ff2f6|C:\Windows\System32\SHELL32.dll+f1bc9|C:\Windows\System32\SHELL32.dll+aefce|C:\Windows\System32\SHELL32.dll+15d5c0|C:\Windows\System32\SHELL32.dll+15d213|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000359918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.621{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe6.1.7601.17514 (win7sp1_rtm.101119-1850)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"D:\calc.exe" D:\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000359917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.557{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A12BDC5DF081A02E6702F5BE918DA8,SHA256=E2FE9BF1FEA00B9673052682EE199E476C4A247D155CA69F533CB67F03F5C44D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:41.470{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-219MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:42.750{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69627B8E9CE0DFA560B4B2BA91E52C76,SHA256=6EB20511F37113A863E3B39F734A68BF342E9984A09CE74D657C49728BD3F614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.824{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.823{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.823{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.818{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.818{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.818{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000360054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.690{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F86418EA3D9E61696C617B79BEA2D6,SHA256=F149B2C83F5BDEFF305BB6F87E57F18FCE10BE3DA1E0B191E887DDD925CDD0A2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000360053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.659{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exeC:\Windows\System32\pcadm.dll10.0.14393.5427 (rs1_release.220929-2054)Program Compatibility Assistant Diagnostic ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=5DD80805856A5784982DE56A53D93F4F,SHA256=5A1F08B4D194760A6CD802A64FDEFEBE99DAA315FEA281DDC9F87EAF9580256D,IMPHASH=87A3AD703BADD3DFEF6CD8454A33C4CEtrueMicrosoft WindowsValid 734700x8000000000000000360052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.654{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exeC:\Windows\System32\wdi.dll10.0.14393.0 (rs1_release.160715-1616)Windows Diagnostic InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationwdi.dllMD5=E7A7E8803E66B7CCED95D327A4DBC135,SHA256=401ECD953D4014A95C9022822D9ACEC1A68C917281DBA2365503A473FC6D9507,IMPHASH=C4D742A0EA60EA0359B282ACF9999522trueMicrosoft WindowsValid 734700x8000000000000000360051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.659{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000360050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.659{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975E,IMPHASH=EE6E7AA59AC992D3937C01196243C8D7trueMicrosoft WindowsValid 23542300x8000000000000000360049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.638{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFA1BDBD12A30EB1442F880595161FA3,SHA256=B2F0EA2B345EF77E6989EFEEB34499F8F01F75C0D99B05B01BCB8EBAF4ABA262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.606{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E58F130176E0B4ACCA3628F37E9B4F1,SHA256=1DEC8B8B832ABB160AA99484CC212C5D3F94C119E219F060572258B3582ED501,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000360047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.391{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85,IMPHASH=60EA58ED63BD25EC1709F72F112B0086trueMicrosoft WindowsValid 734700x8000000000000000360046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.391{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=AC951CC1306C73767A05F04BFC916CD8,SHA256=5FE28B70168433EF1C6DDE3CB1BE43A1A614508C37BC9C32F2051E5BA341C6C3,IMPHASH=EF37C47ACC74D5DC3737EEE137193A8DtrueMicrosoft WindowsValid 734700x8000000000000000360045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.339{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=74261D485681A12AFF1AD517FD0EF200,SHA256=DEC3B7B1EBF3F7F4940FE63D665E2C50F6447C848C35C64B1BDE446E04358480,IMPHASH=A92DB75F144155161CE7994504E7528FtrueMicrosoft WindowsValid 734700x8000000000000000360044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.306{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeD:\7533.dll-----MD5=A8C071F4D69627F581FA15495218BFF7,SHA256=C992296A35528B12B39052E8DEDC74D42C6D96E5E63C0AC0AD9A5545CE4E8D7E,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000360043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.290{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=94C93F32B21EB2DA6AFF2C264B17E623,SHA256=4ABE629C6A2A44F35F205709FB004837871D6CD4F3C21F2F77432B2F98DAFC77,IMPHASH=427ABCACB68FF99E5D5660EACE2D94AFtrueMicrosoft WindowsValid 734700x8000000000000000360042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.275{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6D,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 734700x8000000000000000360041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.275{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=3645194B19C92D91EF59E38796619524,SHA256=2E637C375BA08379AD2810911FED726332E25A587022A6D823B628E3724A0607,IMPHASH=35B9FC596D3364271C5C4C1DDE352DEDtrueMicrosoft WindowsValid 734700x8000000000000000360040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.259{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=0F1E9D98CC524190E9B045908E6BC1F6,SHA256=252B3BA71F9452011FA60B6C7655DE65C93EE02754F6B7AF08CBBAAE844CDEEB,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.259{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9B,IMPHASH=02A49231FBD4D14396A5A54F65097366trueMicrosoft WindowsValid 734700x8000000000000000360038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.259{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=AA7C77E4D80A83624BACD72A0A22E374,SHA256=E6B8C76FA6163B808D6B797B1227622925E2E861B383FB132C6B3D6BA24D71E3,IMPHASH=69C9827FA8A57968D7E74F368AD4E790trueMicrosoft WindowsValid 734700x8000000000000000360037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\AppPatch\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=3662AA8F2034650E7C045F1BCA730DDC,SHA256=55FEF94CB7F703BEB70D199F749364219DAE1D13E915389E3F4A2A230B5EBEB6,IMPHASH=D470F529839E63CD53A1CCEB6581270BtrueMicrosoft WindowsValid 734700x8000000000000000360036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467,IMPHASH=D053774A49BA83FF54C68888CB687C6CtrueMicrosoft WindowsValid 734700x8000000000000000360035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.159{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeD:\WindowsCodecs.dll-----MD5=21930ABBBB06588EDF0240CC60302143,SHA256=8760C4B4CC8FDCD144651D5BA02195D238950D3B70ABD7D7E1E2D42B6BDA9751,IMPHASH=BE2605D3DC2146051F3615439BF170EBfalse-Unavailable 734700x8000000000000000360034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.139{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000360033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.290{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000360032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.139{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFD,IMPHASH=3546967BD7A83D49718BE45FB48403B5trueMicrosoft WindowsValid 734700x8000000000000000360031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.321{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFD,IMPHASH=3546967BD7A83D49718BE45FB48403B5trueMicrosoft WindowsValid 734700x8000000000000000360030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.121{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4,IMPHASH=19FF3D7E49F43D90E4842B5753CAF441trueMicrosoft WindowsValid 734700x8000000000000000360029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.121{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5427_none_f6751390f253ba42\GdiPlus.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=BA4CC0577FE193749AC71D136E63DE7F,SHA256=D8796DD5FB6C79ABD0F466E7A537D196B569FF478D53D68BE13883C5A0960A60,IMPHASH=7693D57C38FF80D4013B00CECB7C64E3trueMicrosoft WindowsValid 734700x8000000000000000360028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.321{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x8000000000000000360027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.121{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x8000000000000000360026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.121{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000360025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.290{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000360024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.121{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539ED,IMPHASH=A2681C42106048F87359D11744AD087BtrueMicrosoft WindowsValid 10341000x8000000000000000360023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.290{30B46F62-485E-6352-1000-000000008B02}30892C:\Windows\system32\svchost.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.290{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.290{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 734700x8000000000000000360020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.121{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 734700x8000000000000000360019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.106{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000360018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000360017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.106{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000360016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000360015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.090{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000360014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000360013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.090{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000360012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000360011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.090{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000360010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000360009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.090{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000360008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000360007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.090{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000360006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000360005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=827CF4DF011EA7BAF277BBA7E74F262E,SHA256=9C9BBF48DC43E2C405C04BE00DF600989093BBCD6CC7FD66CE8BEA97EC7D8499,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000360004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.075{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E230B8A7225E6727EC1886846413A54D,SHA256=2ABEF9C7B0EFD58B1CDA5B3C4D784F007C631329FC452E780105D35217A40497,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000360003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C830A662D2219E9BFB13ED2894026915,SHA256=CB8048F560CC4FF567D2A8C2657004E70902855CCA50B4705A8053587E1ED007,IMPHASH=533BC84A1EC4841BF15F5E4FF63A29F1trueMicrosoft WindowsValid 734700x8000000000000000360002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E230B8A7225E6727EC1886846413A54D,SHA256=2ABEF9C7B0EFD58B1CDA5B3C4D784F007C631329FC452E780105D35217A40497,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000360001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000360000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000359999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000359998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000359997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=B422D6D349B239AA5DA5B66297A085B3,SHA256=3708B080455F4563B863211A4D602AE11CEBDEB94C8846EE580503C4F4A4DFE7,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000359996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x8000000000000000359995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000359994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6A51D4762C9E3554953ABBB5AA1A4050,SHA256=12422A5E2171851EC8ADADD11313F9E74310F137CE60C3E547EFC658A52BCEF8,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000359993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=C6546AC6C60F9CCBB2152397535E7546,SHA256=ABD5F8EB2A0EA16D6DECE48467E246EE3413C78E48E44A7F5935D11A2884E847,IMPHASH=9D339EEAB735596FA7DC404B5B56A994trueMicrosoft WindowsValid 734700x8000000000000000359992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000359991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.059{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000359990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=05685D846954E1BDD621868E96488B6C,SHA256=D628EDE3BE96C118FFD69A1ED3FB47BA475B7C304C20CA47D80421F5FA466522,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 734700x8000000000000000359989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000359988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.059{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=827CF4DF011EA7BAF277BBA7E74F262E,SHA256=9C9BBF48DC43E2C405C04BE00DF600989093BBCD6CC7FD66CE8BEA97EC7D8499,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000359987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.206{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000359986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.059{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C830A662D2219E9BFB13ED2894026915,SHA256=CB8048F560CC4FF567D2A8C2657004E70902855CCA50B4705A8053587E1ED007,IMPHASH=533BC84A1EC4841BF15F5E4FF63A29F1trueMicrosoft WindowsValid 734700x8000000000000000359985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0D,IMPHASH=1B7EF7A158566FE5E056CF936C1F0BA9trueMicrosoft WindowsValid 734700x8000000000000000359984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=40609845B5F71A923CADA8E9BE0DBCD3,SHA256=4A37BC90B133F9E768570F8DD15ACFB242D766D91161ED927EB6D059E8A1E026,IMPHASH=C3A947E86E0B67FAA3B0B56CC5C7BCA6trueMicrosoft WindowsValid 734700x8000000000000000359983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E7250A347FA497C9A44FA84493C36B4C,SHA256=3187F14835C7B9184DC17D69310E180A48A11DB29101F2866B84B1708252B121,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000359982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.054{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000359981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000359980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000359979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000359978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E7250A347FA497C9A44FA84493C36B4C,SHA256=3187F14835C7B9184DC17D69310E180A48A11DB29101F2866B84B1708252B121,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000359977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000359976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000359975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.038{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000359974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000359973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=008C343519B7638AEF1FBFD9DF26BC22,SHA256=9C5B8ED8542367D1DC5625AD5544C68ABB63C80887F2F448506581B32AA34CE5,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000359972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.191{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000359971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.038{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 10341000x8000000000000000359970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.175{30B46F62-48CD-6352-8900-000000008B02}3116760C:\Windows\system32\csrss.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000359969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.175{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.175{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.175{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.175{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000359965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.038{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000359964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.038{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=B422D6D349B239AA5DA5B66297A085B3,SHA256=3708B080455F4563B863211A4D602AE11CEBDEB94C8846EE580503C4F4A4DFE7,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 10341000x8000000000000000359963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.175{30B46F62-7D05-6352-0408-000000008B02}95046176D:\calc.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9428(wow64)|C:\Windows\System32\KERNELBASE.dll+d810c(wow64)|D:\WindowsCodecs.dll+11b0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+6ea4e(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3eeb6(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52fcc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52e6b(wow64)|C:\Windows\SYSTEM32\ntdll.dll+2f106(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3e30b(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3aee4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+5362f(wow64)|C:\Windows\System32\KERNELBASE.dll+c7268(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ad6(wow64) 154100x8000000000000000359962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.178{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEC:\Windows\SysWOW64\regsvr32.exe 7533.dllD:\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467,IMPHASH=D053774A49BA83FF54C68888CB687C6C{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exe"D:\calc.exe" 734700x8000000000000000359961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.038{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 10341000x8000000000000000359960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.175{30B46F62-485E-6352-1300-000000008B02}8486564C:\Windows\System32\svchost.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000359959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.022{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000359958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.022{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6A51D4762C9E3554953ABBB5AA1A4050,SHA256=12422A5E2171851EC8ADADD11313F9E74310F137CE60C3E547EFC658A52BCEF8,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000359957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.991{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=C6546AC6C60F9CCBB2152397535E7546,SHA256=ABD5F8EB2A0EA16D6DECE48467E246EE3413C78E48E44A7F5935D11A2884E847,IMPHASH=9D339EEAB735596FA7DC404B5B56A994trueMicrosoft WindowsValid 734700x8000000000000000359956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.939{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000359955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.936{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000359954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:41.928{30B46F62-7D05-6352-0408-000000008B02}9504D:\calc.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=05685D846954E1BDD621868E96488B6C,SHA256=D628EDE3BE96C118FFD69A1ED3FB47BA475B7C304C20CA47D80421F5FA466522,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 23542300x8000000000000000238436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:43.836{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A982A011A809A3288809DE7EBE18AC80,SHA256=854950875697B6ACEA35458C10182559EACC11E4072FE8974C54C4A0BDDBC5B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.727{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.722{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.719{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.713{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.712{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000360080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.708{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5E8770BB4F6DB70E711C3BDDB718C7CD,SHA256=D7A116A1A3CD27B16E3D6AD6BAB3E3527AFAC34685FB3EA48AA5D3CD70B5D458,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.703{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.696{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.693{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.691{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.689{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.682{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.674{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.660{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.649{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.635{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000360069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.632{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C0B34DD809825FB7532090A9C6397F,SHA256=AB1823FA09B799696EA360D89C1B09341CA1BEC3E0F36FCE9F08DD28EE70C532,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.628{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.594{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.584{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.577{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.569{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.560{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.523{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:43.521{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000238437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:44.933{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275C26CB38F30F7CE181819856883041,SHA256=AB9E3F5423F805B792725C9D169709F1126D9630AB38D27F26E366B4544B7D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:44.647{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFBC180BED463AE43D365CAA5D2E672,SHA256=647D4998215337FFB0D955193D16CC82535A8952972F0CEBC2ADE3E07DF72365,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:44.067{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:44.062{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000360090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:45.755{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBACE800F3C54C1CF171CDB5E90B38CB,SHA256=C067ECB4B0D43A95964241A19F68EF0ACA56D730BBB019DB3AE4C5719E3D2FFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.755{EFF5EEA8-7D09-6352-BB06-000000008C02}1048644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D09-6352-BB06-000000008C02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7D09-6352-BB06-000000008C02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.583{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D09-6352-BB06-000000008C02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:45.584{EFF5EEA8-7D09-6352-BB06-000000008C02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000238438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:43.275{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52317-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000360089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:42.778{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59966-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.959{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFDB7F3E2C0C23DF84DAD0C5F907906,SHA256=6E476B5A7AB6223C1B2A28C2C46AAD7C5986D56ED6EA6140E7F93785880F407B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.791{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.791{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.790{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.788{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.786{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.783{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.781{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.779{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.777{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.774{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000238482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D0A-6352-BD06-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7D0A-6352-BD06-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.755{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D0A-6352-BD06-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.756{EFF5EEA8-7D0A-6352-BD06-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.709{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D4B57B8ED7C3A3B52CFF36BB44A08C0,SHA256=3F93DD30E408AADF069C02DD1560AFFC2D6D06E6D52E711E9463C02D3BCA595E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.474{EFF5EEA8-7D0A-6352-BC06-000000008C02}12281180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.255{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D0A-6352-BC06-000000008C02}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.250{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.250{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.250{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.250{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.250{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.250{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7D0A-6352-BC06-000000008C02}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.250{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.250{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.250{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.250{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.250{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D0A-6352-BC06-000000008C02}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.251{EFF5EEA8-7D0A-6352-BC06-000000008C02}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.093{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D1C49B002FB8E338DB8A3CC6ECA4E5D1,SHA256=B41A3970EFFDE22759F16C8F3E29F0C06545256B813552C7531EA1242CDF7874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:46.046{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D7002E1B51CBF4F42319B018506A42,SHA256=2A19C8C67F0EA02CF41CAE2F6D92FF0ED5940C35ECDB84EEF063305F32E23C3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.771{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.768{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.766{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.764{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.761{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.759{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.757{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.755{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.752{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.750{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.746{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.744{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.742{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.739{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.736{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.732{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.730{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.724{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.721{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.719{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.719{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.718{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.707{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.704{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.700{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.698{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.695{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.693{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.683{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.647{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.646{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.644{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.629{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.620{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.599{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.594{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.587{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.583{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.582{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.579{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.577{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.577{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.575{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.574{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 13241300x8000000000000000360097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:05:46.072{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d8e53d-0x11bc031d) 10341000x8000000000000000360096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.071{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000360095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.071{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.071{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000360093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.070{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFcdd125.TMPMD5=A4670CABC14D7551C56556724DDE58F1,SHA256=5AA750D72DC98C3B2F0FD3674D91BD9CF2CE599A23918CA948117F1E8D66A72C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.070{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:46.068{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000360155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:47.827{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19064A15DBA5E844D71669AB33296965,SHA256=A2285D8CA314DE5A1E77621F0B1E26EB248CC0762DE09688F9E5B15EB8617802,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D0B-6352-BE06-000000008C02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7D0B-6352-BE06-000000008C02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.427{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D0B-6352-BE06-000000008C02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.428{EFF5EEA8-7D0B-6352-BE06-000000008C02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:47.234{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AC17884D362015F1F900939A2C06AD,SHA256=7F041F576258AD7D82FC75977931DB28D226E1BF895C26B3A834690D8B7D746F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:47.040{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:47.040{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.782{EFF5EEA8-7D0C-6352-C006-000000008C02}35923132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D0C-6352-C006-000000008C02}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7D0C-6352-C006-000000008C02}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.642{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D0C-6352-C006-000000008C02}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.643{EFF5EEA8-7D0C-6352-C006-000000008C02}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000238517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.517{EFF5EEA8-7D0C-6352-BF06-000000008C02}4961480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.363{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D0C-6352-BF06-000000008C02}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000238515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.363{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D0C-6352-BF06-000000008C02}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000238514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.363{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D0C-6352-BF06-000000008C02}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000238513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.362{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D0C-6352-BF06-000000008C02}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000238512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.362{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D0C-6352-BF06-000000008C02}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000238511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.362{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D0C-6352-BF06-000000008C02}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 23542300x8000000000000000238510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.351{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3400F11C7A4EAF4BC28C73AC3360A4D,SHA256=CBEE5F685B4D370E74DEBED0CBB1CAD2D17BF7EA2CB61F530E3B381EA20F490D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.101{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=AA1FD1EFCDAC036B72429C8513A2F4E2,SHA256=BE86581A28AA8E3483FAB5C1ADF380F8F118035DE3A4CAD93CB640B06C2B4525,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.026{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.025{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.025{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.025{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.025{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.025{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:48.025{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D0C-6352-BF06-000000008C02}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7D0C-6352-BF06-000000008C02}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.099{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D0C-6352-BF06-000000008C02}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.100{EFF5EEA8-7D0C-6352-BF06-000000008C02}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.444{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7662E84773D5E781DD67B09BFBD7DF72,SHA256=860E1AD0CE4AAA5250C11110180BD9BA6015400CB5113DA7911708924826DB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:49.006{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F9BABDEF7994A2A4C12682B405326B21,SHA256=EC752741363B19685EAE1EC0CED0A18659DBFA41A9D8C941ACDA0641C9865382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:49.005{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62751A93493A4AB580CFB59A20128E4,SHA256=8879C97DAD6E92B6CCB15864BEA9196432939714069EBF8658026AE6887035DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.328{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=224DAD56290763C128AE00BC26D562B0,SHA256=863ACED0954B6421E9D634A6594C117564B9B9F03E2C41F0C67113D1EC4FBE11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D0D-6352-C106-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7D0D-6352-C106-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.312{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D0D-6352-C106-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:49.313{EFF5EEA8-7D0D-6352-C106-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000238548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:48.403{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52318-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:50.532{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BD2D3F8417E1016339E8A3B2A7F865,SHA256=A959242C744566519B2050B6BDF2F4EFC8BD5D5F89DEA72E46F83268931E926B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000360192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:47.841{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59967-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:50.049{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BBC20C9835CF99014F70B833291CD9,SHA256=C2FBD3B8A4C2DA9F3C4B44C3D7DD2E98334BE419C4595982BEA6A4AD4C5E7AD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.997{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.994{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.990{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.990{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.988{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.986{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.983{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.980{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.969{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.956{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.954{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.938{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.930{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.920{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.905{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.898{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.870{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.861{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.852{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.842{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.833{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.825{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.822{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000238549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.625{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB02EC2F51CE73C649A4BF759F41EA05,SHA256=02CA50D3E9BC7BCC6509B8B558FE938F405461B1B30EFEA04D81FEE35734511E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:51.154{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A32A4C4732338F5F2CCF50519843BDD,SHA256=C0032FF2E3D16F6C47305893DB9248A1E17141C29F238B33510C59C2F49299D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:52.804{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B55A247763D45AE3CFAE02B1BFB88A8,SHA256=A072B0CD6D0ECB46AF8A39EA85BEBF947F579FDEC1EE8CA2176282EC1D776345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:52.263{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-218MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:52.172{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119845841337A24E938EA045E4FB5FCB,SHA256=8875670AF536DD4A7EF9777743DCFB5DD33D72FC6465496889557E63F847AA0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:52.002{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:51.999{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000238580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:53.905{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4FB43F550098EBCB0C3DC25D0E1E74,SHA256=FDD636E07A37FEAC42233843BF9DCC9DE6059BCCFF52C5595FBD4369284A30E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:53.261{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-219MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:53.176{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CEBA82E71EDA0B4B8164BBE90FB08D,SHA256=0290277B5D68BA23FB1095E6B2FF2CD14AD398F7E7C8BD6DF4659524951DC8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:54.993{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2FD12C8E05444C01686F34D3AF1F7D,SHA256=094F8ACE20F93E389D122C6C2B56553E4F1E9E567617D15E76467A57A6A06E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:54.281{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A34DB51190F9E1F41F331ED1B45BFC2,SHA256=E7D2F65EFFE780ACC97E7BD8EEABF72862E671FAF2BA98C5961604EFD7C7C478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:55.385{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFE9AB83912CCC78A26F37E9DB6B760,SHA256=ED003F9F2E6606909524EA695C7C81918C1B9F24C702876070DBC5D743A5B0AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000360199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:52.861{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59968-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:56.389{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3805CA22944B02E4DF05019442A727,SHA256=9744376EA0A0DFB2FBCBF46BA58E809D4FC1BDE5FB6DECBE4C2EE6B9617A9B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:56.070{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930931A506539CF0D0B11FB6223F40E2,SHA256=834E5722A7A1C354528E36A46F379FD9E3641D718B9540DF0BCDB12C510291FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:57.395{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3A4230BE266FD0DF3873B1076D4F39,SHA256=91AEE06C3D87A41D46EB5E7DB587721CF9CDCBB52803A9EDE596E77F3D4FB663,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:54.315{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52319-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:57.161{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E502ED4B8C2CFA778F4B202498EB09B9,SHA256=60B908D0470ED55C667DF4AC7BE29D366D517B7555A6A7B961E2BBA7AAB47E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:58.498{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E7E47DAA9B5004EFB48A309CC49F2E,SHA256=A4AA69CFC66DEF5D6845624A1BF60E4BDC5FD27393E6209F9480BD17FA403D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:58.251{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE070788EC02E19F67FE0359AA2B51DE,SHA256=A6847204F626ED52B015734BB866E839C7C64729AAE63B6C3A0EBE4AABB1C9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:59.601{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC45EAB2875422528C10AA81D189BE13,SHA256=5608DD33CED38C6843194E07A2D396A752C0F04C28455DAE9DE5EE1A3476218C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:59.345{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA218A7C8FD18C38F6F09BF9971913F1,SHA256=B23FBD581BC7988207B82FFC3811D4606F34541BB2D9036574FB074D71D7C3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:00.886{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=82F0E693C596DB6C467008B398E7052F,SHA256=B70CB025383C9CAE4952305615D5393E1D65D26BEBFA6FD117B4C21848E8C1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:00.719{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100A9B3D845F34DA540B5E15FD8CE943,SHA256=BB5B02D70B1996C7CA741FDFE0C00B7DE5DFA502DD71F00CE9E3D12A3D87511D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:00.449{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3530ACA4B77610915FCB0E48A1EFFFCC,SHA256=AF42E987DEE54D50B5940F27E80258985705B5C66A55DB64E7A0B1479DC8C33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:01.815{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622063515EDF6F614FA27FD20B2DB737,SHA256=C9176A168AC3DF30D389B86AB2E801F3B6DD81BFD12334DD0904ED5AC83D3E86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:05:59.823{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-61214-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000238588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:01.531{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7D977F26653F0A6062CCC85302503C,SHA256=80E565FF384E48D81CB68D8649828C36E8EE7B465806B86D5089E99B8E82AB92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000360207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:05:58.749{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59969-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:02.838{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B067DB919D1F742FB425D071A3D7C5,SHA256=75BB84BBBCD64C48160CC422E9368DC08264178CF0EB99D3923708DD568D6863,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:00.283{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52320-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:02.615{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51C80F5B5485FEFE0276A505DB2E2F1,SHA256=7F26752C323FCFFCB82FDF246B2E32472D16D5108A8BDCEB9CDE47498EA93E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.974{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7561B4918C6EAADBB79292D1B9490B52,SHA256=223590E20FDAF859E7E2158794644E58AF4526B52025976BB576E0CB0927574C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.849{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BDC999A4CB3B77299E9D97F2EC2A46,SHA256=ACCBBDDDFC151CE22158689D1699196D90582853F27BD03DC9CEBD54ADC7381F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:03.703{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCF6EB2EA4F6AC21122D251BDF53C59,SHA256=5113E8BCF8A5C12847017FAC198477EC8BECCCB05A31074326D62148E1E262EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.740{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.734{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.732{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.721{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.720{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.706{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.692{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.686{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.684{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.681{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.675{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.667{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.655{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.647{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.637{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.626{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.588{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.578{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.572{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.564{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.557{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.524{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.522{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000360237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:04.923{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54465A37ED567C2B46E8FA9CBB16617,SHA256=4A22671653F79F4CC72755EEE5DFC1BD3CC1FFFD46C083C565A7A33320A72DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:04.788{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67337BBDEFE96024AC3300E5BD069D59,SHA256=7C4FFEE22B3867B3058147798A00F3CDDC87311212880752BDCB9521A652CA6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:04.102{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:04.098{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000238597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:05.980{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BF271F5BCACFE92AC8E26F05C3E61238,SHA256=747183C08CB2F6BCBD7EBEDF8D39336FD1B88C40C03938F54EDE634948335859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:05.883{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDC337C79A0C846381CE44474E821B35,SHA256=A2EC5EDB981E20B5B636A991629240BD584C14EBFB7A9B5DDE5DAF1C0893A7AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:05.805{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D23C2026C713FA36DF13A23E29BB21,SHA256=AC06AF0DB3ECE5BD238112A58D867FFDCBC1E463F6741B9214564673EDD31477,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000238594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 11:06:05.695{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e53d-0x1d6e4209) 23542300x8000000000000000238598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:06.908{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3072ABC3EA832A53EAF98595A4D627C4,SHA256=1AAED26724692252F68FEBD485987F8640B0F4A864E7CDFE0F33FADC67452824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.892{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.891{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.891{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.888{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.886{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.883{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.881{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.878{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.875{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.872{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.870{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.867{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.865{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.859{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.853{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.845{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.835{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.831{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.825{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.823{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.815{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.809{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.806{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.792{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.788{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.785{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.782{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.779{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.774{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.772{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.771{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.770{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.759{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.756{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.752{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.749{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.746{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.744{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.735{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.697{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.695{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.693{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.675{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.663{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.638{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.633{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.626{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.622{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.621{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.618{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.617{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.616{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.614{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.613{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 354300x8000000000000000360242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:03.760{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59970-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000360241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.111{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.110{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000360239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.108{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000360238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:06.026{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F381524C8F4F3A29097A82679F0724E6,SHA256=A7AFD53152F70F76D127BBC053C50E28E062BAA7FCEB092B2F414569DBF9CF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:07.992{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9410EC96E668664633CA798CDF5856E,SHA256=A2FB9B0B2788B37E325F610BE81047F1ECEE42A0F978216C2C29A4AD993A63EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:05.318{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52321-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000238599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:04.909{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000360298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:07.392{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A016D6F78DF08B0369155371224F6B,SHA256=29123929A026854967AE7B4EF17E0DBEBEB16C48DF26CC5B523BADEBCF6FFF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:07.391{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B27E6FA7FF2E43C6B1C35C6764AADFB,SHA256=6248CE2AC039F85FA16312D2EF9EA86426DC7C3AC515CC509954EF0BDBF581B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:08.405{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAFCE425FD3D441557D97A2ADC10AF0,SHA256=1A36CA1B084DAD1FA58B820FA9F9F2ADC4CE6282907F9F9E33573527EB3400E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:09.530{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F1A2F836B4F51E9B616F4D60A48F57,SHA256=E28536672111F27D0472749F1EEAC5687B920D6C68F78694C8AB375F7ADA7653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:09.078{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9254D716B1E0205E0DF09ECE631A3353,SHA256=9490050605716ED7260666F0852F2D6F4E77A9C9576FF3CCF8EF74FE3CB022B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:10.606{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCA4C2C6372812BE79EE2B3ADA254A6,SHA256=34AF37479CA76424A5B89ED8017929AA174BD153851FF325D8F45AEC1B0771AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:10.171{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E60E77549B9D779BC4D53EADA39C4D,SHA256=1AA7475F8523CF67BE598FDC96E12162C633D10E3C5DD8A7ABE4FF1067AE5887,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000360301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:08.769{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59971-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:11.713{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4942B28DD83DF0761C4F2E13C1AB3485,SHA256=BED30996F67D49EF27C3EE8E4CA710EC27A215679A2D5737FF9489E45EDA2081,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000360304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:11.681{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475Binary Data 10341000x8000000000000000238621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.997{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.996{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.988{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.986{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.974{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.967{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.960{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.953{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.947{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.938{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.889{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.879{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.869{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.862{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.852{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.841{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.834{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000238604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:11.266{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76437E4DAAE90BBECDD9D5A83CC2341E,SHA256=AE2AB98966F7D1E9465EAB51390789ED4966FE237DBE1398AF71257E8832545B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:11.315{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=92EE9148A290A24FA14AE1D99B2ABCAA,SHA256=FD64B95EB76B63DF23905C3F57AE505B02D87E77EFBB0A4D05E1FBF05E387746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:12.720{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923FDCE7C0ABB0C189A4EDF260B866EE,SHA256=937A7BEC226367A6E349BD45E8130AC806F0E47488B66D02EF097F83BC31D25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.407{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCF85F5525263961D336EAE2B9CECED,SHA256=ACA1D831D1E24699EF97F2A7F7D69BE700D5211308D18CBEB76026C2D3CFD69C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.037{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.030{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.027{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.025{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.024{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.021{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.020{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.019{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.017{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.014{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.011{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:12.000{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000360307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:13.769{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BD10C33A4D045FE63D19B2100147C1,SHA256=3BB59C041A2AD7548D87FA115FD0FE829D24F909E33C4A7FFBC7CD994C10C81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:13.462{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF67596E1D4C84ADCD469F4A3F691129,SHA256=308C8CA7B2A02A573C4647F1CDD2B5C902275ED587E57BC98247E8988A0B617A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:10.419{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52322-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:14.782{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E821E8B7E63655C52D76196BD88C5A09,SHA256=2F7BBE7CBDC01B0810A498A5A525B5BF38A1D663A3775BC151873F25B2C6C502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:14.537{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89350C606160399EA6FAF21E205B63F7,SHA256=9B9C5C21ECBF7503AF8108945E0B5345384E070BD0C6D0C3A9A29CF8E0648D6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:14.434{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:14.434{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:14.434{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:14.421{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:15.894{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000360309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:15.842{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78889099221F4D2CBC825D3F95467923,SHA256=7CAFB7ED607712F8E3391E08C9CD0C5AB294B69ADC8744DC7A53C1A9EFC40BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:15.639{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B0EC8993AF48DB989124E388054BA0,SHA256=06AAA35D077AC5187FD8458FD84FC89AB7E97EDA9FCD69C27DA0B1AF02A34EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:15.489{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FB9206BD91489DF441CE36AE21A49D20,SHA256=422FBA2B876AE9F952E17983502B2F9C1A913A0D788904CC3D11F55D84BD9941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:16.869{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF6E051AF8317415CC0B8136713E1CA,SHA256=D4EC2BA0CD9DAC8B914F8971A4F2805FCFAD0670A52CD7E649ADB229617DA309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:16.731{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE468438F94F9AF387EE2151FE43A4A,SHA256=6BD973758738CEC7651C4CF1E736F80B1BD262730D56CD5C1897527FABCD3627,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000360311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:13.776{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59972-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:17.974{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A8D2E6A54B8921440D292E8C983A1C,SHA256=AEB24A9B2F49B6F6DD368075509E633F5D271D013E180AFC8F4F49588B77E02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:17.832{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE94600F6FB55E38AAF20ECEBB562F33,SHA256=EE513C0039E5B1C9297460B1D4875038A7759196CE01AF9E881618177B49EC03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:18.915{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64353721AD85532139A18A97FB41DBE,SHA256=2B3745C8FE4BFA6522C3264A103F2B66ED414805B97382BFEC1524524662D043,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000360323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:18.046{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2F,IMPHASH=844732D10340F10C1E97778BA10CF30EtrueMicrosoft WindowsValid 734700x8000000000000000360322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:18.042{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7,IMPHASH=46FAD5286B22154C348CEBCE1107AFECtrueMicrosoft WindowsValid 734700x8000000000000000360321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:18.038{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=97FF7E9EC6FCEA3BFF925EF0B3D2C2A0,SHA256=58F5AE5BF2EFC87F15BF756F6E9F9F015EF5982BE6116B7D6E74CD9DDA5B3E7A,IMPHASH=CE8BC9B3664FDF4538851BFF6C6D25A5trueMicrosoft WindowsValid 734700x8000000000000000360320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:18.034{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\logoncli.dll10.0.14393.5427 (rs1_release.220929-2054)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=2FC58E28A22581D66092837503A7FF8D,SHA256=21FEEDFA03D9DFBE623AD1F94311064902A292F39E30FF164F18AF40752FCC12,IMPHASH=343CD4C5D9D6DE17581010BBB9270B57trueMicrosoft WindowsValid 10341000x8000000000000000360319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:18.048{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:18.047{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:18.024{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90,IMPHASH=158FC41AF95869DAD152F6AD98D3B1B5trueMicrosoft WindowsValid 734700x8000000000000000360316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:18.020{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=F67DFB27AACE637BEA56D3EB0726B943,SHA256=3663C2F3579BEBAF433AF101902ADA3FF87A3A6005F0AF77D1894458286E3656,IMPHASH=82F8D10D6DD61C5D488E58E1BB2A29CEtrueMicrosoft WindowsValid 734700x8000000000000000360315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:18.005{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=ABB61EA7CC462930FB56C2D004A5B06C,SHA256=7C1525EEFF5357013C68BDDAB2F255E40C8D82A43EF05F374B8DE7D8B5247711,IMPHASH=B1A124F5ECF68D9AFF86BEE7BFF328D4trueMicrosoft WindowsValid 734700x8000000000000000360314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:18.003{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=3AF8578D70A29700B850B6E3AE16707C,SHA256=B8A4643A53617A2CC849B1CB520F59C51BB9B2D17EB51CF92AAE7779AAE642F3,IMPHASH=BECD21EE9D727374BFBE0E55EC100256trueMicrosoft WindowsValid 23542300x8000000000000000238648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:19.647{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BCB1EFFA39CCB7D869A8A554FA34E0DC,SHA256=ED964371007A08B5E7FEA6ACB9791F1366F703B102F1184EC4838A8A291993A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:16.288{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52323-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.735{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F389CBA467AD124759361BCEBA0E7D4,SHA256=A9FF7C3450AEF52BB4124C472200F10517F9E79D971C109FC976E5FC0C0D7CBC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000360391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.498{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040C,IMPHASH=789B4484C292CAC32E0806DEE3E8734AtrueMicrosoft WindowsValid 734700x8000000000000000360390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.492{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\SettingSyncCore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Setting Synchronization CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationSettingSyncCore.dllMD5=FD18600CAFB4CA2A9433029272CAFC0C,SHA256=8C0FB15398CFEF94C398AA5A1E34058828B38F1058CD70ED1C30C0998E4A29EE,IMPHASH=74EAA97CB7AF30DB5A42CCB49C15A599trueMicrosoft WindowsValid 734700x8000000000000000360389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.475{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=E50CB1075E2B56754D0E52F264DC8E31,SHA256=5AD5BD48D58C9F64022994DE8199E7BF4AEDB64662037C1C79819336D39A545C,IMPHASH=E9B92570926E7B919F56524ABF99CBCDtrueMicrosoft WindowsValid 734700x8000000000000000360388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.466{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=807D0265EEB480488FD8F5BD31941489,SHA256=865D0A59E86E52F514BD1A782575CAD36100D7723595E566DD200B538D8B3A9E,IMPHASH=D3851D2627EE20865D40A6CE93CA8A17trueMicrosoft WindowsValid 734700x8000000000000000360387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.471{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=807D0265EEB480488FD8F5BD31941489,SHA256=865D0A59E86E52F514BD1A782575CAD36100D7723595E566DD200B538D8B3A9E,IMPHASH=D3851D2627EE20865D40A6CE93CA8A17trueMicrosoft WindowsValid 10341000x8000000000000000360386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.530{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.529{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.528{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2F,IMPHASH=844732D10340F10C1E97778BA10CF30EtrueMicrosoft WindowsValid 734700x8000000000000000360383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.523{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=97FF7E9EC6FCEA3BFF925EF0B3D2C2A0,SHA256=58F5AE5BF2EFC87F15BF756F6E9F9F015EF5982BE6116B7D6E74CD9DDA5B3E7A,IMPHASH=CE8BC9B3664FDF4538851BFF6C6D25A5trueMicrosoft WindowsValid 734700x8000000000000000360382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.465{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\twinapi.dll10.0.14393.5006 (rs1_release.220301-1704)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=F59DB1EAA1AD037F4624E737B0AE7612,SHA256=7A20647C8D71C75712425A34A507A2109A5218E3CD9D3C04E91200F6C1E36916,IMPHASH=A5B4C0FF06C95F8FA4ECBF4021AB7EB3trueMicrosoft WindowsValid 734700x8000000000000000360381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.521{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\logoncli.dll10.0.14393.5427 (rs1_release.220929-2054)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=2FC58E28A22581D66092837503A7FF8D,SHA256=21FEEDFA03D9DFBE623AD1F94311064902A292F39E30FF164F18AF40752FCC12,IMPHASH=343CD4C5D9D6DE17581010BBB9270B57trueMicrosoft WindowsValid 734700x8000000000000000360380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.521{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90,IMPHASH=158FC41AF95869DAD152F6AD98D3B1B5trueMicrosoft WindowsValid 734700x8000000000000000360379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.520{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=F67DFB27AACE637BEA56D3EB0726B943,SHA256=3663C2F3579BEBAF433AF101902ADA3FF87A3A6005F0AF77D1894458286E3656,IMPHASH=82F8D10D6DD61C5D488E58E1BB2A29CEtrueMicrosoft WindowsValid 734700x8000000000000000360378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.519{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=ABB61EA7CC462930FB56C2D004A5B06C,SHA256=7C1525EEFF5357013C68BDDAB2F255E40C8D82A43EF05F374B8DE7D8B5247711,IMPHASH=B1A124F5ECF68D9AFF86BEE7BFF328D4trueMicrosoft WindowsValid 734700x8000000000000000360377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.518{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=3AF8578D70A29700B850B6E3AE16707C,SHA256=B8A4643A53617A2CC849B1CB520F59C51BB9B2D17EB51CF92AAE7779AAE642F3,IMPHASH=BECD21EE9D727374BFBE0E55EC100256trueMicrosoft WindowsValid 734700x8000000000000000360376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.453{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17,IMPHASH=F65198FB793A8A98E01EC9C1E0924384trueMicrosoft WindowsValid 734700x8000000000000000360375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.504{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 734700x8000000000000000360374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.500{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000360373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.452{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11,IMPHASH=72645B79B3F36D7DD23879EC939355AEtrueMicrosoft WindowsValid 734700x8000000000000000360372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.451{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=13547939C72439809CB44F4D6A692555,SHA256=5334C1DDE63B42864FAD8B08EA747BE1209B54E705996DDA73D7B4E4F697761C,IMPHASH=3B7148B202E165B9B54CE80B989E47E8trueMicrosoft WindowsValid 734700x8000000000000000360371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.468{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6D,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 734700x8000000000000000360370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.467{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7,IMPHASH=46FAD5286B22154C348CEBCE1107AFECtrueMicrosoft WindowsValid 734700x8000000000000000360369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.413{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEMD5=1A3B0FF3E223494347622890CB313A50,SHA256=D715B4B742913367F54A47C3747AA312C7B938B56BD3A24E5E33E1E91FA03937,IMPHASH=027A05A63341529EA0932E72FEFFFCF0trueMicrosoft WindowsValid 734700x8000000000000000360368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.454{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85,IMPHASH=60EA58ED63BD25EC1709F72F112B0086trueMicrosoft WindowsValid 734700x8000000000000000360367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.453{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000360366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.430{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000360365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.430{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000360364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.429{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C830A662D2219E9BFB13ED2894026915,SHA256=CB8048F560CC4FF567D2A8C2657004E70902855CCA50B4705A8053587E1ED007,IMPHASH=533BC84A1EC4841BF15F5E4FF63A29F1trueMicrosoft WindowsValid 734700x8000000000000000360363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.429{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000360362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.428{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=C6546AC6C60F9CCBB2152397535E7546,SHA256=ABD5F8EB2A0EA16D6DECE48467E246EE3413C78E48E44A7F5935D11A2884E847,IMPHASH=9D339EEAB735596FA7DC404B5B56A994trueMicrosoft WindowsValid 734700x8000000000000000360361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.427{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000360360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.427{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=05685D846954E1BDD621868E96488B6C,SHA256=D628EDE3BE96C118FFD69A1ED3FB47BA475B7C304C20CA47D80421F5FA466522,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 734700x8000000000000000360359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.426{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=827CF4DF011EA7BAF277BBA7E74F262E,SHA256=9C9BBF48DC43E2C405C04BE00DF600989093BBCD6CC7FD66CE8BEA97EC7D8499,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000360358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.425{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000360357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.425{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E230B8A7225E6727EC1886846413A54D,SHA256=2ABEF9C7B0EFD58B1CDA5B3C4D784F007C631329FC452E780105D35217A40497,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000360356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.425{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000360355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.424{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000360354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.424{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000360353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.423{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000360352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.423{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000360351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.423{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000360350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.423{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=B422D6D349B239AA5DA5B66297A085B3,SHA256=3708B080455F4563B863211A4D602AE11CEBDEB94C8846EE580503C4F4A4DFE7,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000360349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.422{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x8000000000000000360348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.422{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6A51D4762C9E3554953ABBB5AA1A4050,SHA256=12422A5E2171851EC8ADADD11313F9E74310F137CE60C3E547EFC658A52BCEF8,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000360347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.421{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000360346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.421{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000360345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.420{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000360344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.419{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000360343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.418{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=40609845B5F71A923CADA8E9BE0DBCD3,SHA256=4A37BC90B133F9E768570F8DD15ACFB242D766D91161ED927EB6D059E8A1E026,IMPHASH=C3A947E86E0B67FAA3B0B56CC5C7BCA6trueMicrosoft WindowsValid 734700x8000000000000000360342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.418{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E7250A347FA497C9A44FA84493C36B4C,SHA256=3187F14835C7B9184DC17D69310E180A48A11DB29101F2866B84B1708252B121,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000360341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.416{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000360340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.416{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000360339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.416{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000360338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.416{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E7250A347FA497C9A44FA84493C36B4C,SHA256=3187F14835C7B9184DC17D69310E180A48A11DB29101F2866B84B1708252B121,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000360337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.415{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000360336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.415{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000360335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.415{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000360334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.414{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=008C343519B7638AEF1FBFD9DF26BC22,SHA256=9C5B8ED8542367D1DC5625AD5544C68ABB63C80887F2F448506581B32AA34CE5,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.414{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000360332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.407{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.407{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.407{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000360329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.407{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.406{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.406{30B46F62-7D06-6352-0508-000000008B02}56007700C:\Windows\SysWOW64\regsvr32.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9428(wow64)|C:\Windows\System32\KERNELBASE.dll+d810c(wow64)|D:\7533.dll+c020(wow64)|D:\7533.dll+db3b(wow64)|D:\7533.dll+6319(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000360326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.339{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\SysWOW64\explorer.exeD:\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=1A3B0FF3E223494347622890CB313A50,SHA256=D715B4B742913367F54A47C3747AA312C7B938B56BD3A24E5E33E1E91FA03937,IMPHASH=027A05A63341529EA0932E72FEFFFCF0{30B46F62-7D06-6352-0508-000000008B02}5600C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\regsvr32.exe 7533.dll 10341000x8000000000000000360325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.339{30B46F62-485E-6352-1300-000000008B02}8486564C:\Windows\System32\svchost.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000360324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:19.152{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4BDE985A1020EE9284F6B40D8A9194,SHA256=70FA0D5AB513EE6DC343BA33E9DF23CF64463DA6A6662698442F855DDAB2AAFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:20.391{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F2089F36AC49C6BDBA8FB4A905225F,SHA256=C370AF070F56F6ED4CF41A9F925A2C3A1DF742EAAF946DAE80CDDEF0B7CD21FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000360394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:18.844{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59973-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:20.187{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6FB6FF33E7648CEC0C91CDDA1E829AD,SHA256=40CD565CD4FFC61F6BD0CB3D2601171727C2A850CAEAA2018AC352EEAF05CC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:20.019{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854DE04406478F8BDA8CD3B11566AC9E,SHA256=E365B06B88C55C0E5934C0294A3A2CE09EDA4C367011669D39E0C6980CE56F80,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000360403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:21.537{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exeC:\Windows\System32\iertutil.dll11.00.14393.5427 (rs1_release.220929-2054)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=16183D721B01A31F06A402C4A4D24D79,SHA256=61A819BC79302BFD0B21FA3695AE091869C83700998A2C355AA512A077783CA4,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 12241200x8000000000000000360402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-DeleteKey2022-10-21 11:06:21.551{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe\REGISTRY\A\{d37c1b67-d764-bd05-e16a-d56bc66b396f}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x8000000000000000360401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:21.551{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe\REGISTRY\A\{d37c1b67-d764-bd05-e16a-d56bc66b396f}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 12241200x8000000000000000360400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-DeleteKey2022-10-21 11:06:21.550{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe\REGISTRY\A\{d37c1b67-d764-bd05-e16a-d56bc66b396f}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x8000000000000000360399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:21.550{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe\REGISTRY\A\{d37c1b67-d764-bd05-e16a-d56bc66b396f}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 734700x8000000000000000360398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:21.536{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=26F75D7632CFB048662E0F2D053DE91D,SHA256=982130114F522A963113639D829DDC6D3D556F052C3DCF7DFE0F3F8F538CF8F0,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 13241300x8000000000000000360397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:21.535{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\SIGN.MEDIA=7D8772 calc.exeBinary Data 23542300x8000000000000000360396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:21.293{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981F41D083C2382305A20B7374721162,SHA256=77E5572A9FD7477FACC5B17D015EE24588B72C19506ADFEA22CBCEC9ADCED8BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:21.110{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE541884FBAADBBF6273A35402A66924,SHA256=53D5953E456415B1AAAD2172DC655C6F8812EEEF700087C4DB984B48BBD524B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:22.181{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9754E07BDCF855E4249CB3163619B248,SHA256=8215A0BEE36CB511ACDFBC91A84633A2603986AA803C810185EAB97C7AFFF849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:22.324{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656A1CF4A7D7E7740E9A4F407010A6DF,SHA256=8E018084D101451E4E5021BFABBBA9E0CCB656F3EF948605C0076A830DF906DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:23.266{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E882170550786B5C89B363E1E26F0D7A,SHA256=5740FD51A9B27C23D20861094D8F748011F38246D0D54F03F5381DFB37CCA0AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.731{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.727{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.724{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.716{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.715{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.706{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.698{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.693{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.692{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.690{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.684{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.676{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.665{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.658{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.648{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.633{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.594{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.584{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.579{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.571{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.564{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.532{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.530{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000360405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:23.345{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C78FDA9D6E6D3A80A60B5A832F165CC,SHA256=959B9171A1554849A7729B0C0A7452555FDF45CEF6CA111FEAAE1AD2A0E57107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:24.343{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9315CB93627FFA347466004DF5D22CA9,SHA256=E121ED9CFCC7C1CA4994240E747A4200A190E900BED24F173BC691BA41B0A37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.617{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58A4966C8145304CF94045A707B69B5,SHA256=61FE01A4133A3825D9B2C0570408DC67F8618C82EFD7157C3487411D4DA0503B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:22.263{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52324-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.263{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F7EA849F3B283D1C1120EB36FA3D8ECA,SHA256=6F8A1B51449E1CDD69D26D112CBD1B04E6E8B95F317BED5761714F711344E2D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.209{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.209{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.208{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.116{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.116{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.116{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.115{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.115{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.115{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.115{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.115{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.115{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.075{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.072{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000238655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:25.431{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDEEEBA63E2EE5D086D2AD2C11920E0,SHA256=AE33B6342F31E6D20C0CCD5DC7EA179222247209CDA52DCFBCC948597CED4869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:25.663{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C74AFB8A8193FBC8777DC24A9F23BF5,SHA256=6B77F761FE8E44FF62D8565F9F4030138773141E9ECBDC7960274E4BA8A3C369,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.861{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.860{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.860{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.856{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.853{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.849{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.844{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.840{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.838{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.835{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.832{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.829{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.826{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.823{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.820{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.815{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.812{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.809{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.805{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.802{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.799{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.796{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.793{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.790{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.786{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.784{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.780{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.776{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.773{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.770{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.769{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.769{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.751{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.748{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.743{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.741{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.738{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.735{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000360475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.731{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FE5C4871D7D2204781FB4F7B2D134B,SHA256=151A8FDB22D21AA8CE22CB3879FB36DC54AA7D1A70C47469463AB808B9914CC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.724{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.687{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.685{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.683{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.666{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000238656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:26.530{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB810C9F1A26CAE2B8690E53048E5317,SHA256=0C0ED3FB9FD3689DD19DF02FAFA7AB9B49EBB3A1C3BE5CE3F303A4F9621261D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.656{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.630{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.624{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.617{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.612{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.611{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.609{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.606{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.605{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.603{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.603{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.088{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.086{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000360456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.083{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 734700x8000000000000000360455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.022{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000360454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.020{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000360453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.017{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000360452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.014{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000360451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.013{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000360450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.012{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000360449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.028{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.028{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.028{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:26.010{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.980{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000360566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.980{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000360565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.965{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000360564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.965{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000360563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.965{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000360562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.965{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000360561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.949{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000360560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.949{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000360559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.949{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000360558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.949{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000360557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.944{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000360556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.944{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000360555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.928{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000360554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.928{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000360553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.928{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000360552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.928{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000360551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.928{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000360550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.928{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000360549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.928{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000360548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.928{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000360547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.927{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000360546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.911{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000360545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.911{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000360544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.911{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000360543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.911{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000360542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.896{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000360541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.911{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000360540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.911{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000360539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.911{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000360538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.911{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.896{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000360536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.896{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000360535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.896{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000360534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.896{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000360533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.896{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000360532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.896{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000360531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.896{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000360530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.896{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000360529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000360528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000360527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000360525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000360524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000360522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000360517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000360516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.883{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000360515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:27.880{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D9B26F91263AE6FDDCECEE36BECFFC,SHA256=656EEDD6D46C79CF6F5EF504ED93AB09FBF41997DCC030D87BCE8A76820735DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:27.627{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A2C383222D074D3A2F0EC51F7849C8,SHA256=1B268C840C91EF59E045A2B09E20D6D9CDD4A2D0E99FC605EC377AA5A41316FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000360514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:24.683{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59974-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.986{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7ED7A97B3AB60988C2E9F51B71D148,SHA256=9FAFB608B1DDE4866CFCE305AB093F6DE039C0A905F3D84C8F3201AF811CA0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.986{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3ADEEF44C55805A79FE9522E113C399,SHA256=F2594950759D8708F3DFA80E4502F321F9F702B1265CD52A88D9BED5AEFCB15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:28.723{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519E6D0C356946C93CA6D8B2C67E4D5E,SHA256=87A3934C212905B3CD2DF3BBB202405B3A3F47168D59D1DC36B77B07AE8A0DAB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000360621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.744{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000360620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.728{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000360619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.728{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000360618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.569{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000360617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.569{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000360616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.568{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000360615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.567{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000360614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.566{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000360613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.565{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000360612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.564{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000360611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.564{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000360610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.557{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000360609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.557{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000360608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.556{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000360607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.554{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000360606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.554{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000360605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.553{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000360604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.553{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.553{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000360602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.552{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000360601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.552{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000360600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.552{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000360599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.552{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000360598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.551{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000360597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.551{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000360596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.551{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000360595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.551{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000360594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.549{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000360593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.551{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000360592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.550{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000360591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.550{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000360590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.550{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000360589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.550{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000360588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.550{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000360587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.549{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000360586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.549{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000360585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.549{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000360584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.549{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000360583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.548{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000360582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.548{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.547{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000360580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.547{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000360579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.546{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.545{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000360577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.545{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.545{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.544{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.544{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.544{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000360572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.543{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000360571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.543{30B46F62-7D34-6352-0808-000000008B02}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000360570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.128{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000360569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.128{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000360568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:28.128{30B46F62-7D33-6352-0708-000000008B02}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000238659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:29.817{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D0492707CF64067D1B81495F098507,SHA256=6121C96941A1BB0F94E771B7E9879F5C823AFBBC341008042036CC826F0BABE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.412{30B46F62-7D35-6352-0908-000000008B02}9840576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.412{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000360673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.412{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000360672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.251{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000360671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.250{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000360670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.250{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000360669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.245{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000360668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.245{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000360667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.245{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000360666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.245{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000360665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.245{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000360664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.245{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000360663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000360662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000360661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000360660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000360659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000360658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000360657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000360656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000360655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000360654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000360653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000360652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000360651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000360650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000360649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000360648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000360647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000360646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000360645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000360644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000360643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000360642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000360641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000360640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000360639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000360638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000360636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000360634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000360633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000360631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000360626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.229{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000360625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.228{30B46F62-7D35-6352-0908-000000008B02}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000360624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.007{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B95EA94983F6BC7782AE23BD9377F8,SHA256=AC9158756DE7A5B70199F9395E5A49616B73A8CD9695F1C3AC6F6DA53CC6E9F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:30.913{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B751EF4B2853616CEF286176CA241BD8,SHA256=3C54C36584577EB9CC2218BEDFA60174F384B9151663450E232F1A789AA519C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:30.985{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=96F716F3B1B3EB80E904AB5CB95FEFD2,SHA256=A6AF57690AA1C4652F2ECA5D95DB5A3ADF94D8DC52D7BA7CE5CBD7ED814F0F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:30.113{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E187223439E1577F3F50D05BECEB92,SHA256=90614166B6DA0EE49230D00BDED2D8052F94FA45B0F3690294AB5B93C30C2195,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:27.434{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52325-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000238679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.987{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.984{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.984{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.970{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.970{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.955{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.947{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.932{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.924{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 734700x8000000000000000360736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.675{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000360735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.675{30B46F62-7D37-6352-0A08-000000008B02}884010132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.675{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000360733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.675{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000360732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.587{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.587{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.587{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.586{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.586{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.586{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 734700x8000000000000000360726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.492{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000360725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.492{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000360724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.492{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000360723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.492{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000360722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.491{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000360721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.491{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000360720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.490{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000360719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.490{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000360718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.482{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000360717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.482{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000360716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.481{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000360715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.481{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000360714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.480{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000360713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.480{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000360712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.480{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000360711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.480{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000360710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.480{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000360709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.479{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000360708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.479{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000360707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.479{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000360706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.479{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000360705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.479{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000360704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.479{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000360703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.479{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.478{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000360701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.478{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000360700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.478{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000360699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.478{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000360698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.478{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000360697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.478{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000360696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.477{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000360695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.476{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000360694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.476{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000360693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.476{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000360692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.476{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000360691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.475{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.474{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000360689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.474{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000360688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.473{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.473{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000360686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.473{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.473{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.472{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.472{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.472{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000360681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.472{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000360680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.300{30B46F62-7D37-6352-0A08-000000008B02}8840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000360679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:29.787{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59975-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:31.183{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F79B42166E441BB86DADD769BF11E5,SHA256=1EB7FFA69273DB047A878F4FA5CCC8BE226EDC43EAF11159328DD4FF6B91387B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.914{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.895{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.864{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.858{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.848{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.841{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.830{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.820{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.816{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000360737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:32.528{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D087753770CCB807663A0E025A0810E,SHA256=A8D24EEDD7CA51990D27BABB2BF83DCF4C19784C6DACCBD283BD8C1D57D3880B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.030{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.026{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.023{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.019{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.018{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.015{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.014{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.011{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.009{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000238682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.007{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF22650D2E602CD92C5CFBBE8078BC9,SHA256=F4028154A0330A52040FFA86842C5787E63451E319D519E6DD7D27EEE8FF71B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.006{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000238680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:31.997{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 734700x8000000000000000360790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.867{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000360789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.867{30B46F62-7D39-6352-0B08-000000008B02}74289684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.867{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000360787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.867{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000360786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.666{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000360785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.666{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000360784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.666{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000360783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.666{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000360782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.666{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000360781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.666{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000360780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.666{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000360779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.666{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000360778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000360777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000360776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000360775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000360774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000360773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000360772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000360771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000360769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000360768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000360767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000360766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000360765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000360764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000360763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000360762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000360761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000360760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000360759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000360758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000360757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000360756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000360755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000360754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000360753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000360752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000360751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000360749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000360748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000360744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000360741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4905155AD901D8BF1C5D0C2C074A1200,SHA256=80D226F8BF485D2E221010ED668B77C6F82E6ABAB845A3F33298D0429870DAF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.651{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000360739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.652{30B46F62-7D39-6352-0B08-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:33.105{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.996{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E80CA64D3D2D64D56E55131695B6B5,SHA256=357F7BF70AD2C017B1BDE41EA7169F5CAE3D8D1908166F3BA2205B2178706F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.113{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000360852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.812{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000360851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.811{30B46F62-7D3A-6352-0C08-000000008B02}98643720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.803{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000360849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.801{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000360848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.717{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.717{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.717{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.717{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.717{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000360843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.715{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000360842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.715{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B1832A1347879D33C6715F1F877381,SHA256=FD22817D9AEB8855F6FF9A0E6F7DBF9C490F1EFF9FE7BCB5B8BD8DB6CDC0832F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.707{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0ABDE6D72F2B8EF832C14174009396,SHA256=09C03DD51AAACBDD358BFC5C4138DBE07489F560538A24CF7733BB050545A1DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.704{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=833B9FB7689C1275B31A88F177AA7B43,SHA256=9BCA0C19774E52429D73C774013EC5EF3A7BE6363B79C92D63263B07D252BE92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:32.334{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52326-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000238694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:34.093{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5E0480B997C690B5C1B06098D7807A,SHA256=703261742BC76F0DFFB25722D6A6E6C7E65BBA65CCE794505543DDDB82DDEC3D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000360839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.493{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000360838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.493{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000360837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.493{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000360836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.493{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000360835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.493{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000360834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.493{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000360833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.493{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000360832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.493{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000360831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000360830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000360829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000360828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000360827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000360826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000360825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000360824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000360823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000360822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000360821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000360819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000360818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000360817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000360816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000360815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000360814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000360813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000360812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000360811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000360810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000360809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000360808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000360807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000360806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000360805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000360804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000360803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.476{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000360801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.461{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000360800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.461{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.461{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000360798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.461{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.461{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.461{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.461{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.461{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000360793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.461{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000360792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.330{30B46F62-7D3A-6352-0C08-000000008B02}9864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000360791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:32.732{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59976-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000360907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.770{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88851C8A030311DCEEA0EBFBE98BCF79,SHA256=8B86A150CFB84BFFCC3468423B3C15E78C2BCEC5466647048C44B2214BD6EA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.770{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461455E1A5FFA2455CDB832E6E008AE4,SHA256=46EDB040B8E3302F135BC0FD5610C67DAC67194D5E3B13E9CA93BDA2DD5CF30B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:33.322{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52327-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:35.219{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13465B069BBC9E776D2D347DA3C14ED,SHA256=94EAC551CBD9C6C90A3B335D85AEAA9E8AA74BE3C634ABADC84CA92A45DD8B6E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000360905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.408{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000360904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.408{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000360903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.408{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000360902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.292{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59977-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000360901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:33.292{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59977-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 734700x8000000000000000360900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.214{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000360899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.214{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000360898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.209{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000360897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.209{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000360896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.209{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000360895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.209{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000360894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.209{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000360893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000360892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000360891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000360890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000360889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000360888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000360887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000360886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000360885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000360884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000360883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000360882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000360881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000360880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000360879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000360878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000360877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000360876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000360875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000360874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000360873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000360872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000360871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000360870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000360869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000360868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000360867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000360866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000360864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000360863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000360862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000360861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000360860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000360859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000360854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000360853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:35.193{30B46F62-7D3B-6352-0D08-000000008B02}8872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000360909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:36.861{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68F8996C6234A783B8F82CA12CE7895,SHA256=333346A4ACC7AC947DC9D8B60EA42A2595A1F387845F4B5301B2163BB2E01512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:36.326{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D26802F0DE4AF398B590EF97A1D2D19,SHA256=11568C125D2A73AC0F1665BADA0A5A88DA334262D80193D7DC3E4A1496CA1079,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000360908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:34.886{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59978-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:37.929{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F1A28005E9D8F63956AEE16411C50C,SHA256=4AB4D44B0BFF4237CAB219EEBBFFD36E2538C85BC1390DE781C0CCD9987A7113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:37.426{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E068B6F5F9CC4140070A0DE6E0F97635,SHA256=865BA7681513FD938073E77739FEA65A041147783A1E55D1AD57437CB4DF6C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:38.976{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C5BFE9302B3C46D2FBD854686A9AA6,SHA256=B74FC1257C2A898DCD7C001E3A0A9A1FE848F6D905E892423901EA629FC1703A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:38.536{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C99D7988D36532A25EB83184E75A589,SHA256=F622F56FF4561AAC6A560FD45491290F12C6F5E2BC1E4F3CD0DCE0B9136EEFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:39.647{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A69FB6065B4C4A5D82984A6AAC94AE5,SHA256=7516173A68322510D8ED0CA7B42385D2F64B907ED5E31FC39C053CA0CA069E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:40.736{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5850E37DD6E1F8267C09D9922AB860,SHA256=FEC77241C51E47F2A41594C961390A56961D63C4B93400EEAB373AFD978699CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:40.074{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22CF17CF508A3C01864E1D176B9E93A4,SHA256=A3752B3D6E851484B87DE6E582284C1D7FDBB3FC09E0C889256471D1A84DB219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:41.998{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-219MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:41.830{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A55725E3DD0067DF670D4ED45ED80FB,SHA256=F04644E09EDA5406D1445E3A2DAFE7EADB8495D76D1F3FC13C9677E3CF7B1108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:41.188{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16787E3DB30FF768D4C16CF7F7CB83A,SHA256=BC89E2DBB85B5389FBBB2FE67055A732BC3E20D87D3F28EB500A289E007BB565,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:38.442{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52328-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:42.997{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-220MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:42.937{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDF5768AFAA2ACA71341F467F9A263D,SHA256=3B48A2EEF0408C3B7C2D34AC86AB0824F2C24827128B08206A12EC92AFFDD24D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000360915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:40.815{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59979-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000360914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:42.306{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5168E0B14004171E90F3C46E82ABF65E,SHA256=B5991DC13E97DA3BB898BA0C4E08FB10136F701A1EF5470D295E67E84771BF6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.807{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.799{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.796{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.789{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.786{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.770{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.757{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.742{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.736{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.734{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.721{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.715{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.700{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.691{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.677{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.667{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.624{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.609{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.601{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.587{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.577{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.539{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.536{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000360916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:43.405{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798111202137731BA5BB73DE11ED58FC,SHA256=67C1AC9F23803C2D9AC841216E311C4EA98EA41899A378D08BA23CEA731176D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000360942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:44.442{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08B966892544ABE95923836682509D9,SHA256=851C208D981BC5276B0D5C0E0EF59807D30B98CD3930569C11EABA4FAC334BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:44.033{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9B61DD2BF91E2AF9F62D8B1AE8A839,SHA256=BD1513030967BAE20DBE6FCC4CCBFBB06DAC8EA224324F1EC80382DC408BF09D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:44.228{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:44.225{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000360943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:45.558{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9683E677F0929787CC2334B313B5AC63,SHA256=FA863623830BEBEF20256082157AF86F7A0B3C61CA61AE947362D43BF5124194,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.716{EFF5EEA8-7D45-6352-C206-000000008C02}30442512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000238729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.681{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6C5AE0364DE72D5601793F9904A444E1,SHA256=771635D1607273E5405FF210189EB54EC55107007306C9A121B5CE96BFF1DB8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.618{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D45-6352-C206-000000008C02}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000238727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.618{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D45-6352-C206-000000008C02}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000238726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.618{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D45-6352-C206-000000008C02}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000238725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.617{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D45-6352-C206-000000008C02}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000238724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.617{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D45-6352-C206-000000008C02}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000238723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.617{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D45-6352-C206-000000008C02}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000238722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D45-6352-C206-000000008C02}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7D45-6352-C206-000000008C02}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.537{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D45-6352-C206-000000008C02}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.538{EFF5EEA8-7D45-6352-C206-000000008C02}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:45.134{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9D23E5C23CFD230208586685F57B18,SHA256=1C00E50F8DDB7B52D79F21E032A25EF18B8A0F6C39A19889FFB7339D06C35E17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D46-6352-C406-000000008C02}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7D46-6352-C406-000000008C02}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D46-6352-C406-000000008C02}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.888{EFF5EEA8-7D46-6352-C406-000000008C02}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000238747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:44.472{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52329-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.669{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A965097F11F0979CA14E6BBDFA01EA96,SHA256=141CA95580AAC6D57D08503EBA38093279A24DF5CF92F24D827A46DD2F3440BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.363{EFF5EEA8-7D46-6352-C306-000000008C02}31643572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000238744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.253{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3049CF0F9B31F43358F1CCD233563C,SHA256=983FDFCDB682B63C508F5C3119B1A0860F59AA872997B05636484625478F8C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D46-6352-C306-000000008C02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7D46-6352-C306-000000008C02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D46-6352-C306-000000008C02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:46.201{EFF5EEA8-7D46-6352-C306-000000008C02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000360978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.997{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.982{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.979{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.976{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.974{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.970{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.968{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.967{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.966{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.953{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.950{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.946{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.941{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.938{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.936{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.924{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.878{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.876{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.874{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.858{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.848{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.824{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.817{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.807{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.801{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.799{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.797{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.795{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.794{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.791{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.790{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000360947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.689{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B6E44CF62C6A5FA52988C8CC655A61,SHA256=BC39C23BB06DA82DC7ECC1655EFCD7F364AD9DD5865D80D64410FEAD278C5440,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000360946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.277{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.276{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.274{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000238775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.833{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0DF1BDEF8B1AC2DC2414CA0A40713C,SHA256=FD552B7451C5CB9A4537ED8CB7450147F52C8100BC0B6B66E31E458C92BEDE59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.740{EFF5EEA8-7D47-6352-C506-000000008C02}2444980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D47-6352-C506-000000008C02}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7D47-6352-C506-000000008C02}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.565{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D47-6352-C506-000000008C02}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:47.566{EFF5EEA8-7D47-6352-C506-000000008C02}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000361004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.789{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6703E444C882B1C02254879301FCC3,SHA256=524DD6717B384C9D8D42F30D88555FB425EC7D6ECFE0DD0047078CDC1892B9C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.542{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000361002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.322{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26827DCC23757FD2DFBDD1101C9A311,SHA256=7432667AE05A56FEBF8322D660783649EFC8AFC8E8DA1FB98AF5F088B7E34715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.071{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000361000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.070{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.070{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.068{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.066{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.064{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.061{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.059{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.056{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.047{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.044{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.042{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.038{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.035{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.033{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.030{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.027{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.024{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.021{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.016{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.011{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.006{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000360979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.001{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000361006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:48.905{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D877241DCCFD00D2E866B667B16181FB,SHA256=9A3FD445A57F48A876F8DFC0F4B21199A3A00B4C4586AE0B8C6712D742369716,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D48-6352-C706-000000008C02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7D48-6352-C706-000000008C02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.912{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D48-6352-C706-000000008C02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.913{EFF5EEA8-7D48-6352-C706-000000008C02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000238788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D48-6352-C606-000000008C02}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7D48-6352-C606-000000008C02}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D48-6352-C606-000000008C02}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:48.245{EFF5EEA8-7D48-6352-C606-000000008C02}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000361005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:46.681{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59980-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000361008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.186{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59981-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000361007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:47.186{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59981-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 23542300x8000000000000000238817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.841{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8A6E4EF2A80632A8BBEFF73F898954AF,SHA256=A8054CDD9F11D7B01B8E07D3CB616D078CD43098DAF873960D4552BC465E1686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D49-6352-C806-000000008C02}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7D49-6352-C806-000000008C02}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.424{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D49-6352-C806-000000008C02}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.425{EFF5EEA8-7D49-6352-C806-000000008C02}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.162{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2DD5C300F9A827E59C4B650CCE8C19,SHA256=0A4F42B1EFDB289BF5B059630336CB8F205A9B637020B261FEC86885851CD905,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:49.090{EFF5EEA8-7D48-6352-C706-000000008C02}2772736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000238818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:50.028{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A18E625D53357EB409053218526F92,SHA256=FB4C3CE80A9DDC6C08C285CD1F0B4B139C9D855D67D7CEFE05EF1B164A41E753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:50.004{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E7F54C615D62E84C2B6205E0F35910,SHA256=7F3B7964C9BE946DF3315DA63491BB2585785F3776CB8610FB29C92801E0A7A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.986{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.975{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.962{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.890{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.879{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.868{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.857{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.840{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.830{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000238819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:51.068{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB62BB01731E4662F62D003CAEBE3211,SHA256=C15A1A42F0397D8AE22BB395DCA0D593A4241C67927B512433787CF979506135,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:51.754{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:51.754{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000361010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:51.140{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB5C4BA38DF5796552901DB618B2280,SHA256=CFC817D6F755FB2F396B7B989787DDAD7F51245A3B9836EBE360BCF5B5CC85A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:50.343{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52330-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.129{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF9234836FE3CAEA7FF048F7CBA5E3F,SHA256=58B1E245CFAA8D8398FD5BB673F2CB35D73255E62BE7C14115C42AF775196A39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.115{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.113{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.111{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.109{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.108{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.106{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.105{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.104{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.102{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.100{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.096{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.081{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000361013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:52.285{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B45320F38055611B00C766A43D1A745,SHA256=6C8564D285BEE5EE4C5CB7FD3FEAB466049FA4BE35C4F7565B0343FD1B6870B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.072{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.071{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.052{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.050{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.016{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000238831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:52.002{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000238851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:53.109{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78D86A645493948527D6AA09AACF53C,SHA256=2D1FB0A4ACC1C280D2BC37C675CC1E07EA3909E789D17CF9B1A89ECD1C9046B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:53.776{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-219MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000361015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:51.400{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61552- 23542300x8000000000000000361014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:53.387{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4033045EF7837871A5C6BC444CFBE0,SHA256=DCE54B479B306E2C0D13E541CB2559D1E437B851639273166E542ECF4723B5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:54.214{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3286D2EA44B74AF2024397135E54D5E9,SHA256=B801F97205F0112FD8C69320EE8A6DF447304BC8CD1EE5A4472BDAFDA9CFBDC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:54.996{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000361019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:54.773{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-220MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000361018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:51.780{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59982-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000361017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:54.472{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4096D2CDFFE4AB59338BE1C71ACD36A0,SHA256=C66714915A44ED7202294A69570495504F6B8A4B3D7AFCFB0890EFD787F92DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:55.317{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592D8F22628AA16A40DC6ED2804A8898,SHA256=C178AF07009D707A23335B5BAE2C938CC017BCAF0CB27EAAC0AF7692F48BF7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:55.505{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C4926AC3C1DB5B848B131189CB8F1D,SHA256=4C2490E618D72C7E92B1910C4CEE94A5D0C4E31FBEE5BBF92E91D7E5BB5BE515,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000361039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 13241300x8000000000000000361038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 13241300x8000000000000000361037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x8000000000000000361036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x8000000000000000361035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d8e53d) 13241300x8000000000000000361034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x3ae48191) 13241300x8000000000000000361033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d8e53d) 13241300x8000000000000000361032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x3ad0d58a) 13241300x8000000000000000361031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000361030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x8000000000000000361029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 13241300x8000000000000000361028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 13241300x8000000000000000361027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.124{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 10341000x8000000000000000361026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:55.124{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000361025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:55.120{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000361024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.120{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 10341000x8000000000000000361023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:55.005{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000361022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.001{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x8000000000000000361021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:06:55.001{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-188.attackrange.local 354300x8000000000000000361046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:54.650{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59984-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000361045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:54.650{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59984-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000361044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:54.640{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59983-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000361043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:54.640{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59983-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000361042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:56.619{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7EA793A988ACFA6D08206959E572707,SHA256=4664AAE85BE90F279BB1EE47CC0E13636BEC9E4B1692D00BEDC5EC1FD16E0339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:56.417{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53F68D1ADD9E1582F74F490641B6B40,SHA256=AD4FDF20A2AFC53E87245C01E288596DD0546CDADC5021DCBE476D474672407F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:53.183{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-63927-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000361041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:56.056{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42E5B36461C8C2D94B62EF59871AF530,SHA256=46E58D77E995A24A58712402D9BB9A6087E075867757017542598C0891D09457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:57.724{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8176E20B7E7DA4798D40E2EAF7EEEE82,SHA256=D90BEDAFA2DE27660A7507ECBD9253523F304D625B8F3E378D22CF97B87F17EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:57.513{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162EB9724F70A58E672A7B5D319CFAFC,SHA256=ECF654FB00EB696BF86CF0AD690C5E640AD9C474F154D4A2497F177312E236F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:58.839{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740BABCAF060D96999035A08E5CA9655,SHA256=B42AD3CEBA9C286B3F22C62BF30B9F1330792AE21711DFEDFCAE8057EDC8941D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:58.593{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6C4030B5258E61351EC1B2C58737EC,SHA256=B09EAC0C9F94130FB028420147B3554C1D9924430D273DFCF8AE211F5DA1FA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:59.969{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DD8EFCA90C8E9654957B3DA0D09DAD,SHA256=F6B0E1B0FE35A7C6B49BE78317DE06964BCA7A101F35A5848D2852A63BA04C57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000361049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:06:56.881{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59985-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:59.677{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C22096C9AD4E8C24B0733B9F55AE2D3,SHA256=3BB78CDD143B6DB530B1DC5877CF8337B792B69ED51AAD72D5D11B9595AFCA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:59.552{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71FA51A7734EAD9DFF4C708E886A2D2B,SHA256=9C837B471D5C2D71CEAB178206155C7322C6184C40959259E497CECE8F3E908C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:06:56.333{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52331-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000361051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:00.971{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE56D91C5B696DAA29AAA6273F66DD1E,SHA256=6820AD66E9BB293B7FEA548B7C33860326252498B08EAB15A4E1C1B264BF6C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:00.766{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AADE8E205C708ABD50D27FBF238A401,SHA256=F9515534F21D916D1583AADD8EB573D97FDB78996D668CF91DCEE4AAA8DDD3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:01.862{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B9542EA8FA58CE22061B638BE30CFB,SHA256=37258D2B95CDFB81088C65F3B7C829E095B5B7056D52B387C31FBFFAF3F4B18E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:01.138{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=67DB0DEC15D0C8415FCB3D4FD930D2C7,SHA256=213422364BE34F2A07C1C76A833B47E3A53E8FB5B7928E37F793D9E97695A153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:02.955{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C219DF74D2D4486AE0EF4AA68D16C6D,SHA256=8A3E300E76C6F32CD98F7877C68576AA984B3A03A7D0F227C86608AE7211496B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:02.072{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FBA3C68706363DAFB4C5A2ABB268A8,SHA256=8A612C408EACFF98B10EC85DD3F3C09901587576F6C0E0579D3A95A3BB813966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.974{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A0C57C0E226BD6FCF43DFCEF43300AE5,SHA256=79135640D61BFCE60CE72168D5599A9832F157ED0362E4A421EBCE60E2E6BB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.779{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.774{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.772{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.765{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.764{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.755{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.744{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.739{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.737{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.731{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.722{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.715{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.701{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.687{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.671{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.663{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.626{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.604{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.590{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.578{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.572{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.535{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.532{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000361054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:03.165{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B6E5699898240F3B9DD3075D771982,SHA256=443CC3F657C088B2F06674B099AC17A3DE09218BAE39D1A6587CB59C13844744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:04.203{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:04.201{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000361079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:04.200{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50F636D7D442DD986C95B11182DD9BA,SHA256=905BF5E81CFBE606D7D9E8BEBB923856D5D84B734F4CC0D4AD9C010AF24EAF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:04.047{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F441DD72992F375171CADFF4F9D58E4C,SHA256=1A7E3AFDC3A96F551B29131CBE67183DB37EF9ED6F3F9C3AFF2DF3AAEF43FF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:05.280{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C167F98A5CA127E0A7A0A1DD3BAA8669,SHA256=130BEB35894F318A03FB61C862F285D8AB77F4446F005027EABE6312D9DAE9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:05.987{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BDAE651568B477DD571830117720AADD,SHA256=B882B04A4956F39D17F25C764FFEFE549CDBC08F505DB77C97BC6751AA0C7E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:05.565{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=15CC3E13EB6777FED8685553C8FFB084,SHA256=02241FCAF743BC81C56EB2DDEAB1CD27D0BE63E1601577392A9A6288FB250B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:05.134{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CD9C8E5C94150B28721EE2A009C2EA,SHA256=1954003489F5DB8799D0A4A33EEC9BC451A6E71BCCE3AA53D6C2927F94A5FFE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:01.481{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52332-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000361082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:02.858{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59986-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000361110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.998{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.983{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.976{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.968{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.964{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.958{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.953{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.939{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.873{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.870{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.868{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.842{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.832{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.800{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.791{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.775{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.765{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.763{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.761{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.758{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.757{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.755{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.753{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000361087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.384{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA70D4ACE369F60E4C2F23584E7F909A,SHA256=21B1087515F7C956FD07461CE29FBA4EFD5C8FBB173845036289C73EA67CC2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:06.221{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF529541F2416B48DEEF2983E8A549D,SHA256=1A21701288310C72ECEA85789366AC8706A15D77EE47FA02AD27FC120C7724D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.240{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.239{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.237{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000361143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.716{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351BB1D7A69CE14E3379221E6CC48334,SHA256=1DAEFFF7C316E7A9DF9D7B262EBD189FD92C07AEA986756500DAFFE40DDBFBCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.716{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490440CC37C302B9DA0B188466D15B04,SHA256=B3E156CB80BFDDB58889BC49489EBAAC4F0C0814763DCEA3CEDFE92BB52BD269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:07.337{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8104E811CFCA926C7DF7A6727963A7,SHA256=484AD1A945218F259F006D195A0D524F0944FB7811AF61783FD384B284F83305,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.136{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.135{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.135{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.132{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.126{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.119{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.116{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.112{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.109{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.105{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.101{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.097{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.088{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.083{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.077{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.070{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.059{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.056{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.052{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.048{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.043{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.039{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.037{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.033{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.024{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.017{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.011{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.007{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.002{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:07.000{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000361111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:06.999{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000361144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:08.820{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB9059CCD8F48C14CF72DD09B124E67,SHA256=200964E22A889FAF48ED7346B7A517C52DCB7F343E92331F01A483B571532ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:08.439{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33F85FA8500326353FBAADFF78FCC85,SHA256=10A1708A5F908DC460F6E828EA718B8881B65E831982864B91DBC1233C5415CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:09.916{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2C73FCBD892B49A34BE11E624427A8,SHA256=588DBD61282F7BAD86F73036226080831D00FB41419DB7F888F8F7B3958BE34B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:09.541{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE9A8B4A35609DDB29C5A24E6F151FD,SHA256=20ED92E5F0CDB2338371E1E79F6718078EE4F56DA14581C3FE98A0C9F55364B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:10.638{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475A6EC91B317ECF78566A815D02BB77,SHA256=639531A799563570A83D2DC635073446B7B5087B29C63BB404C54AC7A3B46B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:10.067{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50CAE8A247F0BF0ACCB3DAEE32798624,SHA256=22115CA3CF2D29CCFF72DE1B5190B37B1D18019B997A85562DE6D6955A478AC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:07.436{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52333-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000238904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.984{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.982{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.979{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.977{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.976{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.974{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.973{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.972{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.967{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.956{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.954{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.952{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.944{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.929{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.923{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.910{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.874{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.869{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.856{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.849{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.841{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000238875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:11.726{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2E31C9F02153AA3F6955D16B960E16,SHA256=F339DAEF2D94EF1CD7F5A2FD19EDE4F91778F6913303CBCFA38C8D7548CE3DE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000361148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:08.695{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59987-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000361147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:11.035{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518EF15EE2C2102662DA73BD9E0F043D,SHA256=99465E914776FB107BACD2BB95AD865945D6F237A10542384BBF691CE8100CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:12.958{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7612A921B7789350833ABFE60CA1A397,SHA256=6EAAA3BD519C5ADFDB33EE34E299D03311AE1C9201E325AD92FA443B6A908FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:12.181{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2D7E4FF2A4EED1DA79740401857318,SHA256=361381A5890DABF370BE6FA9B86625B2C5D30BDF467C3545CB61668DB65DA05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:13.298{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739FFE79E976D8C2690CEDD6702A83D8,SHA256=623F04907E35DBE0A392A67C4747DC70C3D218C7B16E65648F6F493082D5680C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:14.369{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A4A7A9062BF79E3D8C808B63D5C314,SHA256=17A5AC194DA336B1BC2DF4D6860C3B6B61D3DBED1D7D479ED9D5099ED09F5EFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:14.436{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:14.435{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:14.435{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:14.421{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000238906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:14.031{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E130C8D206F0528BFAD514564102757F,SHA256=D94A5E71F417B74E741787FFA64D7B351CF51BFFCBB4E9D32EF70BD849582CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:15.464{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=751FBA4626B94DA5FDA0A22B0B28C561,SHA256=0CCBDF6A47646C0D2B69A9EBF6F0B423731B6F29F9E038041631DAC842243F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:15.142{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F77DA2F2428DADB650C8A5EA081F2E,SHA256=89FB3AA521EB5C3CBD498C3E96725634655E148A3E36E659B22CE3BCFDC11B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:16.597{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D45F1F61A74EE0C0DD6408BC28FC30,SHA256=46639C278BBA8FC5E9BA43A7DB11CBDFD804502C1BDA58099C854A494C4D7C8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:13.337{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52334-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:16.259{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6410CD50F9B9E206373DC5A23DAD30,SHA256=D474F56E541C4A31B2B1AF8674E6EBF2220CD305A421DCE15C55B1F657DB1807,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000361153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:13.891{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59988-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000361155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:17.616{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C407F45034B26A67A419400B7DF68CC,SHA256=D8A5E4CF2CC6140A28B24CFBC35ECD4AD1602F656B4B823DAE5D8FDEC6651F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:17.351{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92243C1E4D0A97E6455D069CFB44E54C,SHA256=0691905AC50D8E64D392464E8D5CB9C32287D6D45A916EE058FE6DF3135E69D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:18.746{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A19061A4AB7B690660FE4DCF10E7177,SHA256=24FCA077229389191DD489E1F7ACA652EB0AB4C7AC0C6DB16DAF35361A8FAB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:18.452{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7CC1A79B6FCA635019F43A1986F446,SHA256=629A8E9D9515829401325C98E93007F5D0658572ACA9054E0820178ABB5CB6B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:19.832{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512E07B7D116817C4BAFC978671E97F4,SHA256=C2F57E5110D0AB86A7B55E89E1D691D7BFAE67BB633D965830CA33994BCF1DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:19.546{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C252A0B41F0D88EFCA516D04C1BC23E6,SHA256=968B8794F8A0CD3C4401762BF4956087FF53D27ADD827ACF5D55F156CF801F67,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000361158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:19.446{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000361157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:19.446{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x8000000000000000361160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:20.930{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF1DCC6B192459519FC0151921721FA,SHA256=2823A500924900C578DA3961EF0DEF23D0CBA3D646A9984BF8076E1D94527EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:20.639{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D613151D7357CAB44EBA2255640DFC6F,SHA256=04D35FB9295B1D32E9DB49B8CFC223DD57978EF09E9CB3C7AA53F820AA96399D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:18.393{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52335-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:20.093{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E97CF61FDB8DDBED4636821B510BE5CE,SHA256=8134CAD88D86E116C9666A85B44462D2096A01219A95211233DFE7868DA5946A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:21.729{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E424A5509381264AC23D65C80014D3,SHA256=E93EE87096474D74C9BE9D4E76063B091BCBF157E27204C04B7D257A0A90D3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:22.822{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4544A55E53CDAE7D7749C574E3BFC016,SHA256=023605C7DDDA71D8F95A29024A96CB184BA023403A3D4BA82C7088652825CDAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000361162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:19.888{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59989-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000361161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:22.061{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2CAB259E9CF0472B0B86D1221CCD64,SHA256=28895048A4B12D1176AC92AF81BFA24424E5F431C2A9CF28BAC19687C72AB003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:23.924{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045D59036F3D121AAD8B4C0FC5BF7AC9,SHA256=312EFA2DC07BBC672BAFA3A430B26A06042E6F17DF47DB3C3C09E0D4AF3A6B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.790{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.783{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.779{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.773{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.771{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.764{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.755{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.753{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.751{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.749{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.741{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.733{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.718{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.710{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.693{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.680{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.625{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.606{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.593{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.583{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.575{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.534{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.529{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000361163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:23.160{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EE1B4FA40A4D4B06718F56FBCEBBA1,SHA256=6C3B2DC64B43369F5D463CBCBB02FD2C176D70517ED44BF953527155FE7EA584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:24.215{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B0ABC6C64565CACBAA13ADF277B1EC,SHA256=1C67D1DECCD7327F3449F8E17113F382AF420860E704693DDD155A17E4813149,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:24.189{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:24.186{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000361191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:25.858{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=7EEBFA02C6BBEB320921FE98DE2D8FE3,SHA256=BC547EFEFF4292E3B92A90807D41456C3ED76ACBCF145D81C39A042167A64C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:25.294{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D80B26B401F3F651252B955B727851,SHA256=EFF8ECB4B34782231383C24161D30A13859466BDC7B263EEEF568A6E67F30867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:25.025{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F979D09173E30D32A35C0C5B512361,SHA256=95F157F5C9A0C2192C1033320ADF1ADB23AE0E8DEB528356A308533B1C59A20A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:24.301{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52336-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:26.134{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF05317F0322507A5AD569FB81A8A7A1,SHA256=4552F2BD9A174B1D2211E79C05FAE60C6C2BC702D7AF1EC2DFC352F26119EAF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.995{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.993{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.990{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.987{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.983{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.978{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.976{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.972{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.970{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.966{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.959{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.956{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.949{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.943{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.940{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.937{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.933{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.929{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.927{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.925{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.924{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.903{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.898{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.891{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.884{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.882{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.880{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.869{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.833{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.831{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.829{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.813{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.803{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.763{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.758{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.750{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.745{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.744{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.739{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.737{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.736{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.734{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.733{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000361205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.395{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F7800E8F607EE33ADBA1D20BB8AEC1,SHA256=AE7D35DC90ABF25E0F0D26266488D26BC5DFD8917FEEDCD6AABE07366249A0AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.215{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.214{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.211{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.026{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.026{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.026{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.016{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000361197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.016{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000361196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.016{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000361195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.011{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000361194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.011{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000361193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.011{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000361192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:26.010{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000238926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:27.226{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D99FD54A057B57672513473C0EF560,SHA256=76A962FAF647D94583C4D45C2A66319CA887C86DF8E582F6959E27E2B92C6FBB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000361379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.896{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000361378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.891{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000361377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.896{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000361376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.896{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000361375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.896{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000361374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.896{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000361373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.896{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000361372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.896{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000361371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.896{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000361370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.895{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000361369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.894{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000361368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.894{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000361367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.894{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000361366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.894{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000361365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.893{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000361364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.893{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000361363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.893{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000361362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.893{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000361361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.893{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.893{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000361359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.893{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000361358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.892{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000361357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.892{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000361356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.892{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000361355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.892{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000361354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.892{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000361353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.892{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000361352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.892{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000361351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.892{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000361350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.892{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000361349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.891{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000361348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.891{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000361347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.891{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000361346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.891{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000361345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.891{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000361344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.891{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000361343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.890{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.889{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000361341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.888{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000361340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.887{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.887{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000361338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.887{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.887{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.887{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.886{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.886{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000361333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.886{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000361332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.885{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000361331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.596{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F61C1D703C548249EF90158EE9C899D,SHA256=78207BEC95460FE2D01EDD69298F301D7E907C0C5C919C5A164813B47495A089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.586{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82F71FCBF3E835A27BEA58C5ABC7F7E,SHA256=24140675D2B79A7E1C98D315FB494C24070788DB5BADA6BB82176D1942BC84C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.582{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1131C43777398F312544F50A74072E,SHA256=461335B3F9C4054D07F1C8413B7221CEEF15805D4740CE29500AD207C1E032D0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000361328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07,IMPHASH=6D13CFF8D69236E816F0FF58801FB3BEtrueMicrosoft WindowsValid 734700x8000000000000000361327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.278{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.5427 (rs1_release.220929-2054)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=350591E5AAD9F791EB4309D819A2DFD3,SHA256=99F3715C57336E3589CEF4BE4A6777634CC9DC46840305DFC6233946BEC79CED,IMPHASH=B1175218A8304DF3BD6BF43A45EE8073trueMicrosoft WindowsValid 10341000x8000000000000000361326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.316{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000361297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.263{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.5356 (rs1_release.220906-1211)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=0BBB3D660FE02B48D0C20917BE94F027,SHA256=250FC3A792D98F55E2505EDE57D69DFE5D415997ACFB80EA5D57C700CCD464D4,IMPHASH=A8C982C1E8CF4134B4F2115A6232000DtrueMicrosoft WindowsValid 10341000x8000000000000000361296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.312{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x8000000000000000361281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Eshorkcy\1da9cca8Binary Data 10341000x8000000000000000361280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=AC951CC1306C73767A05F04BFC916CD8,SHA256=5FE28B70168433EF1C6DDE3CB1BE43A1A614508C37BC9C32F2051E5BA341C6C3,IMPHASH=EF37C47ACC74D5DC3737EEE137193A8DtrueMicrosoft WindowsValid 17141700x8000000000000000361278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 11:07:27.296{30B46F62-7D2B-6352-0608-000000008B02}9496\{B9B69BF3-D8F3-4010-A4F6-CB0E94E172D6}C:\Windows\SysWOW64\explorer.exe 734700x8000000000000000361277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.247{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.5127 (rs1_release_inmarket.220514-1756)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=F109FD19546BE93A10E690A75AB76CD0,SHA256=7C7C07F1D80F8320F929896597A7F903E565E2090110B6531D393AD0D3EB66E7,IMPHASH=6BB04210898C6D83772D571885398917trueMicrosoft WindowsValid 10341000x8000000000000000361276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.278{30B46F62-485E-6352-1000-000000008B02}30892C:\Windows\system32\svchost.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.278{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000361274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:27.196{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Eshorkcy\62e0a35eBinary Data 13241300x8000000000000000361273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:27.196{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Eshorkcy\908a7b83Binary Data 10341000x8000000000000000361272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.129{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.082{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=1029851F233A4FFD537D7B924F6078E9,SHA256=48FAA459585093FD2423A991B264219E5D7E0D37328D5CE6BDA917AB02607E31,IMPHASH=2A11EEDCDACA5CF22ED5A9A77F30DC4CtrueMicrosoft WindowsValid 734700x8000000000000000361270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.072{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=55D5450C85C0A0DE8F2A22F2C0C816AE,SHA256=3CF7B03BEB7C47157C47EACEBFB731096468D1D25FF6784485EFD2FB806C4C5E,IMPHASH=62E80DE569E3D2B9A30E859918635AC7trueMicrosoft WindowsValid 10341000x8000000000000000361269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.076{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.076{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.076{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.075{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=74261D485681A12AFF1AD517FD0EF200,SHA256=DEC3B7B1EBF3F7F4940FE63D665E2C50F6447C848C35C64B1BDE446E04358480,IMPHASH=A92DB75F144155161CE7994504E7528FtrueMicrosoft WindowsValid 13241300x8000000000000000361265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:27.075{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Eshorkcy\577f7310Binary Data 13241300x8000000000000000361264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:27.075{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Eshorkcy\efc31475Binary Data 13241300x8000000000000000361263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:27.075{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Eshorkcy\92cb5bffBinary Data 13241300x8000000000000000361262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:27.075{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Eshorkcy\2a773c9aBinary Data 13241300x8000000000000000361261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:27.075{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Eshorkcy\28361ce6Binary Data 13241300x8000000000000000361260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:27.074{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exeHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Eshorkcy\1da9cca8Binary Data 10341000x8000000000000000361259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.025{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.024{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.024{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.022{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.019{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.016{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.013{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.010{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.007{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.004{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000361249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:27.000{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000238927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:28.336{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E91B28C9FC5380605CA15496124627,SHA256=AC3FE8F6DB5AE34A35A6F77906D4518A047BA1C070F8EED7B76D5481EFDEA291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.947{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7033E525B6BF367FA66ADFA851E0CF5,SHA256=F3710F00B64956DCD558AF4EE72FB01BD0F55759D0EFFED42616B2A9BC1D7344,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000361491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.795{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000361490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.793{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000361489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.792{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000361488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.723{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000361487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.723{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000361486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.723{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000361485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.723{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000361484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.723{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000361483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.723{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000361482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.695{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E80803A22FC789461CEC0F6B186EE14E,SHA256=5AAAE0111D33E2136144C4709C15D8C772DF6386D8DEBF170D266822FC4B8977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.640{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583C0BC7E66E69091357F4E2EA062C78,SHA256=25D2761BCFFC13FE05F5FF7406D499CA83CD55040F03D9D07F105C279120710D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.635{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DD2147F60525390D3025726C69C419,SHA256=CE535BA29EEC30CDC7BCAA4ECB14E706088A9983E9ECBF0CD104BB79910356E6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000361479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.601{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000361478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.601{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000361477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.600{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000361476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.599{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000361475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.597{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000361474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.597{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000361473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.597{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000361472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.596{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000361471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000361470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000361469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000361468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000361467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000361466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000361465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000361464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000361463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000361462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000361461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000361460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000361459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000361458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000361457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000361456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000361455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000361454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000361452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000361451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000361450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000361449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000361448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000361447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000361446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000361445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000361444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000361443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000361442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000361441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000361440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000361439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000361437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000361436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000361434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000361429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.578{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000361428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.579{30B46F62-7D70-6352-0F08-000000008B02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000361427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.331{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000361383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:25.804{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59990-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000361382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.078{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000361381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.078{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000361380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:28.078{30B46F62-7D6F-6352-0E08-000000008B02}7904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000238928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:29.448{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18F4C678BBB7DED49DD0BB2BD4CC7B5,SHA256=96717EB503F653179BEC08355EF3850EB92C616E0E131638BCF2AA5C17C80525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.655{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF58482995687E217B267B42926CAA0,SHA256=267A0E83D78896DE4BBD99AD71D3255C7629EE4ED60B803945C7AA7C646FA489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.478{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF09DDCAD70A7AC1E0B208D6F8DAB30,SHA256=55E3C83097F381EF34508844040AB7A0534E8F8C77AD7365B5F636190520B4E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.446{30B46F62-7D71-6352-1008-000000008B02}98249812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.446{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000361586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.446{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000361585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000361541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.346{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EBE8562863282D18EB7B110686577F,SHA256=CD386DEC5438ADACDB85F3F1A0CF9767818C7F1968E8837DF45FC56D8D87F2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000361540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.262{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000361539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.262{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000361538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.262{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000361537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.262{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000361536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.262{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000361535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.262{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000361534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.262{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000361533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.262{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000361532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.262{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000361531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000361530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000361529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000361528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000361527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000361526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000361525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000361524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000361523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000361522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000361521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000361520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000361519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000361518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000361517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000361516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000361515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000361514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000361513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000361512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000361511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000361510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000361509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000361508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000361507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000361506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000361504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000361502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000361501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000361499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000361494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.246{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000361493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:29.247{30B46F62-7D71-6352-1008-000000008B02}9824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:30.550{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1A0B301982168CFC7EEC4C62B0817B,SHA256=DA559EB0708FBA2063CDDA8360088C0430774239C7FF167E0BC5A70F90100592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.796{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256792888F4A211F07E0C3DCD515EE6F,SHA256=BE464C7094D9C3A8F371031A4D84D680591F6FC7608929030D5B41825CA24031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.796{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5ECD7CDE252E3D5A3A7950ED3368A4,SHA256=1F8138AA80813139C57F2BE78E1A698AAF815CAFBCC7D8ECF59B616C4558D915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.431{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:30.416{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000238957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.998{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.997{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.993{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.990{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.980{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.971{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.967{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.955{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.941{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.901{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.892{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.884{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.859{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.849{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.837{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.831{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.824{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.817{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.814{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 354300x8000000000000000238931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:29.429{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52337-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:31.634{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB500631B31333735AD17D8C3F74EA39,SHA256=A65A2D7DE5F526339DCA99A078B9D01DE09B1BB9432775391CF233087AB8E9DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.897{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E55D71232F80FAE582610603FC4E867,SHA256=9B187B94C0D9140F7712FB42E5745982828FFA189C768C5DC08C08A32DD575CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.897{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8878603658EA1603D4E6D727C1FB97F9,SHA256=FDF854261ECEC023BC713E98D2A4C3BDEF1881C12436F33E8923C5A702486D6A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000361732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.548{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000361731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.548{30B46F62-7D73-6352-1108-000000008B02}68844632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.548{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000361729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.548{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000361728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.495{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.495{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.495{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.495{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.494{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.494{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.494{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.478{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.463{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.447{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000361684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.363{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8A3FE4CF7322F949EFC2C2FC725B8F37,SHA256=A20274AC7246EFE4A9D40FA48CC4DD382C6E6D1C4852DBA56676E8FBB0B7E293,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000361683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.332{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000361682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.332{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000361681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.332{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000361680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.332{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000361679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000361678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000361677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000361676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000361675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000361674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000361673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000361672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000361671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000361670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000361669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000361668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000361667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000361665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000361664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000361663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000361662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000361661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000361660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000361659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000361658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000361657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000361656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000361655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000361654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000361653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000361652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000361651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000361650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000361649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000361648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000361646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.316{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000361645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.312{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.312{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000361643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.312{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.312{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.312{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.312{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000361639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.312{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.312{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000361637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.313{30B46F62-7D73-6352-1108-000000008B02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000361780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.936{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35FD8B6C7ADE22229AA62C5F5B5A919,SHA256=A99F8331394318971BAA304964DA66D681B997A756EEDB3F0518BA4755F2D03A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:32.009{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:32.006{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000238958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:32.004{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000361779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.628{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB669420D5D6C67E34BF075900FC9AE,SHA256=5BC686B68855394212F75943243748E05811418B652B2D25B0A9C97D9517854D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.532{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.516{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000361880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.996{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4699D70DB5D66D2C09CE9C22567ADB,SHA256=3E3720C1E8B925583ADC6416938E8FB49BBC9F5E2190DFF445058D7F99B4A483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:33.203{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF07195CE69B7FE79ACF93BC59786538,SHA256=16274578F41ACE423827FFAA7735B29BA6DBCFB1BDE128734A777CD44F1E6A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:33.125{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000361879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.896{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000361878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.896{30B46F62-7D75-6352-1208-000000008B02}93769444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.895{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000361876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.894{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000361875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.795{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B100976150475D845E2F79F6934058,SHA256=E777CCB35CFDF8FDF1DDEF9963095F8A4022BF9667914DF25B66C9EEED47B05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.782{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A790865A3B32AE166E9EE40079207EE,SHA256=4F6D16C611B1BE70BE985A90093914B24DB6FF5A6E0224656E06EB871F8D1C38,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000361873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.706{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000361872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.706{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000361871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.705{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000361870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.689{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000361869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.686{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000361868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.686{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000361867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.685{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000361866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.684{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000361865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.671{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000361864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.665{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000361863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.665{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000361862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.665{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000361861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.665{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000361860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.663{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000361859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.663{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000361858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.661{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000361857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.661{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000361856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.661{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000361855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.660{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000361854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.660{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000361853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.659{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000361852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.659{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000361851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.659{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000361850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.658{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000361849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.658{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000361848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.658{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000361847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.657{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000361846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.657{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000361845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.657{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000361844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.657{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.656{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000361842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.656{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000361841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.655{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000361840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.655{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000361839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.655{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000361838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.654{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000361837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.653{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.652{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000361835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.652{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000361834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.651{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.651{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000361832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.651{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.651{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.650{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.650{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.650{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000361827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.650{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000361826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.649{30B46F62-7D75-6352-1208-000000008B02}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000361825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.562{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.547{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000361781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.131{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:32.353{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52338-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000238963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:34.143{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D688FDD6A61D58335BDF546AEEEF2C72,SHA256=C0B1A54C255EA3F5ACDA84E8A811BC5340EB814BAB4DFBA4BED18BBC9E77EBB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.780{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDC7AEA798BD7AC571126E11BBC7A32,SHA256=01E00EFECF576CD7F761E0693525EDB2D765D34BE0C6C424D261C53CF237957F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000361978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.778{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B863763067C7541C497B70EC37A81F81,SHA256=B316064096A0E0964E48F843C33470D592835B9E7036E64070B069E18C53ED81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000361977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.595{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000361934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.578{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000361933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.531{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000361932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.531{30B46F62-7D76-6352-1308-000000008B02}81886260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.531{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000361930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.531{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000361929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:32.758{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59992-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000361928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:31.775{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59991-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000361927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.347{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000361926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.347{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000361925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.347{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000361924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.347{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000361923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.347{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000361922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.347{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000361921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.347{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000361920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.347{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000361919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000361918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000361917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000361916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000361915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000361914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000361913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000361912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000361910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000361909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000361908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000361907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000361906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000361905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000361904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000361903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000361902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000361901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000361900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000361899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000361898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000361897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000361896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000361895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000361894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000361893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000361892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000361890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000361889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000361887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000361882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.331{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000361881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.332{30B46F62-7D76-6352-1308-000000008B02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:35.238{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84604610F9909C8EB41799CA5E7F49EA,SHA256=8D0171E54036B45E29308339E61DE1358F5A1A98190248F955E4FC16D43EF4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.922{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77294E885826932B4D26AEE76C8021C,SHA256=B30A69B4484BD38FDBA514DFD2FB9B69363745C536B79A30A7A7FA75BCE03EF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.607{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000362038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.293{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59993-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000362037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:33.293{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59993-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 734700x8000000000000000362036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.338{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000362035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.338{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000362034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.338{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 13241300x8000000000000000362033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:35.176{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000362032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:35.176{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Config SourceDWORD (0x00000001) 13241300x8000000000000000362031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:35.176{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B51772D5-9883-4A2C-91E7-2B1355A0ACC3.XML 10341000x8000000000000000362030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.171{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.171{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000362028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.156{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000362027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.156{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000362026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.156{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000362025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.156{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000362024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.156{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000362023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.156{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000362022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.156{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000362021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.152{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000362020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.152{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000362019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.148{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000362018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.148{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000362017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.147{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000362016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.147{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000362015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.147{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000362014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.147{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000362013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.147{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000362012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.147{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000362011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.146{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000362010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.146{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000362009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.146{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000362008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.146{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000362007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.146{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000362006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.146{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000362005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.146{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000362004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.146{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000362003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.146{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000362002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.146{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000362001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.145{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000362000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.145{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000361999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.145{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000361998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.144{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000361997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.144{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000361996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.144{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000361995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.143{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000361994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.143{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000361993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.143{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000361992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.142{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.141{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000361990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.141{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000361989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.140{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.140{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000361987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.140{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000361986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.140{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000361985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.139{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.139{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.139{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000361982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.138{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000361981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.995{30B46F62-7D76-6352-1408-000000008B02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000361980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.112{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35F861F019786B8DCB00790F560EFAB,SHA256=498604A87BCFDFF28F30775A9E64991AEFFB6D24F012CB1E50908B26BE16B5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:36.339{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DDA2A82665CFE39F3E689FF0A2CA7B,SHA256=EB8857E57B5A45CAD8DB73F214B0C18274B13255669090582A3D9B6C86C95A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.870{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40532CF9947A1B61154CEA540AFECB94,SHA256=628DD92D92CAAEA4A067307CEDF2956DA471039E202032719C4EB1C6F38BBCFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.855{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.855{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.855{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.685{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.684{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.684{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.684{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.684{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.683{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.683{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.683{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.683{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.683{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.682{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.682{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.682{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.682{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.682{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.682{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.682{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.681{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.681{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.681{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.681{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.681{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.681{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.679{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.670{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.654{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000362090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.835{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9830:5aef:2cd:ffff-64857-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000362089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.816{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59994-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000362088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:34.816{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59994-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 23542300x8000000000000000362087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.238{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6716BFC51A07864F9D24D3484972C5A2,SHA256=7DB9444788D0FBC0A77D6F6202BE23492B2A34F305F6825E4E5994F455AAC040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.023{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.023{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.023{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000238968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:35.312{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52339-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000238967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:37.445{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F073785C3EAACC55328987A1CB8A7890,SHA256=BE3AE0B1080586FBF39ADA413412F5877808A6DE98BE7CABEE16128D2140A60B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.728{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.728{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.728{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.728{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.728{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.727{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.727{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.727{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.727{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.727{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.726{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.726{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.726{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.726{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.726{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.725{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.723{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.723{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.723{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.723{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.723{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.722{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.722{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.721{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.721{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.721{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.720{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.720{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.720{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.712{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.705{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.705{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.705{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.703{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.703{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.703{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.703{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.703{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.703{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.702{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.702{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.702{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.701{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000362143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.666{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59995-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000362142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:35.666{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59995-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000362141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.374{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9085EFCEE7F4DC35F09EA8D714B2DDE4,SHA256=E630D2C3B3CFF97694D0708F3889B9E3FC13127F74D5130526934C5890E6D885,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.037{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:37.037{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000362236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.921{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FACAC1F23D4C378429D34B28D242273,SHA256=B3D1B267F20D4FF43BAB45C0ED0B6588FADD05AC3EFA07972242C2DC848AD4AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000238969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:38.540{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3896500A66CA24B7D7FCCD7FB924574D,SHA256=A9FDBB42D24C5ED1CA1A23498F959F3CFEE2DF42723E844A75D054BD915DB1D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.752{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.731{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000362191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.496{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59996-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000362190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.496{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59996-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000362189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.490{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0CF32D6C96C2DC602340C584E232ED,SHA256=CABB1E26C9CB5C8385E82A833B49478264FF009653C3E8EC065C27733A576223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:38.006{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF9F71C2B922C797FD423303B4348F7,SHA256=777FA7E779BD8A0E660DEC09418D009231E0C08B0178589605A4B1B7CC98F378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000238971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:37.954{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-50308-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000238970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:39.646{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6471E1430C2B225EFD8673A2A0D60CCF,SHA256=C10E44C680E68539ED2D585C7A07FB50EE8E40151A2DA6CB33176CD30137937B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.789{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000362238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:39.620{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807E9771D4078ADFA5847634E0BFB476,SHA256=BD65138BE58E05DA659F97DE8D7022D84DFE4B3F13EEA011D489C6952DF66E5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000362237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:36.848{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59997-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000362328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.859{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.858{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.857{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.857{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.856{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.856{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.856{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.856{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.855{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000238972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:40.730{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938173674412D1C61A95C2F366215C08,SHA256=22AFACC5A236490174E89CDC6C3E271DE24545681B9BBE8A9E8ED99FAB29FDE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.855{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.855{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.854{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.854{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.853{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.853{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.852{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.852{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.852{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.852{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.852{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.852{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.851{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.851{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.851{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.851{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.850{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.850{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.849{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.849{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.844{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.838{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.838{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.838{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.837{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.837{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.836{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.836{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.835{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.835{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.835{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.819{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.819{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.819{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.819{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000362284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.720{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C70EE1B59A2F27BD2ECE637A155BBB,SHA256=5B615D466E4EF03997EC26925079BABF6A733A7587D9D5FC526B49C7CA8824C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:40.020{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3158694486BE5F71144B4BED1BA53733,SHA256=80BEB676DFBAE3B8A51C8859C3E9A1DB0D75C560B9B8F9E5D4A3665C785CFFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:41.823{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D46A878EEC9474ED5C6F395CB0F51F,SHA256=123EC1B0E6F10F911295137B7BCBF7431A774510D00380A57944F104B01859D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.896{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.892{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000362330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.842{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC4B1600E125813E3036922531732A1,SHA256=2C8C9B0ECC4FF8552EC4C3B633700B22C351FD1AC316DCE4A7F4AACFA30EBD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:41.153{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22A48A187CE671B2D16994C9FE15D88,SHA256=8900104E96C371F9B37E96947821C8D261EDDDD3C65FE4A7702E2E21A51233ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:42.939{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004745F7670F06B1A9AF370A099D7978,SHA256=1AD1D5F648DC532C78E545C0161A6E3465958FDB7AEE80E09378BDD9C3636841,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.942{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.942{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.942{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.942{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.942{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.941{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.941{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.941{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.941{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.940{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.940{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.940{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.939{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000362376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.856{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B5088A777D66E7E050BAA2CE4AE9C9,SHA256=3B29D6B5B64D72697AC470A586A00BA1D52CB763967C15288B78A299281F4C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.252{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D6D5BE0DA2FD319DCA5E7A116A70F6,SHA256=9464051CCEF648FA389F4F9D9D1A53D05DA30DF554C258BDF5480E03B4A904DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.970{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.970{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.970{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.970{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.970{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.969{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.969{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.969{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000238976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:43.504{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-220MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000238975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:40.395{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52340-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000362480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.969{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.969{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.969{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.968{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.968{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.968{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.968{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.968{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.968{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.968{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.967{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.967{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.967{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.967{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.967{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.967{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.966{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.966{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.966{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.966{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.965{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.962{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.957{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.957{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.956{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.956{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.956{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.955{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.955{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.955{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.955{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.954{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.954{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.954{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.954{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.953{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.833{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.827{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.821{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.812{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.810{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.802{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.796{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.793{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.791{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.789{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.783{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.778{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.761{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.734{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.722{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.701{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.632{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.601{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.594{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.585{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.571{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.525{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.523{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000362421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:43.003{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52C5EF2AA3CEF40D5DB17478D80AF10,SHA256=0248F8BB3997A4BEF94D3B0435611B4D57BD6FD2437D80D8680EB703FF7CFFAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000238978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:44.510{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-221MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:44.122{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0B2D8C9DABE213D344812CB14C1145,SHA256=6EA82DE022B8734A2A6D2FDD5F5B5E4D98A1BBFD5A4BDE67BD6F998BFCAAC02E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.974{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000362493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:42.793{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59998-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000362492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.214{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.211{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000362490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.096{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3905F35F92867E95AC6A7544276D838,SHA256=0D6E743F2CC57A68CB18C8E3B9EDC2AB737C1F5D031EA6F0179AE2C9B4B9FE2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:44.093{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFB85E1CD9B0481CB2911D3D2E5C38E,SHA256=57A606CDB984E48FA6D9DE6E894B8ABC0C98A8E4CB922F9A933B5DE6246D13E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:45.913{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=674CC730F969697E114CAAE27CAA5A8B,SHA256=9D9FD5C3A0AE37C3980A278FC3C47EA419AA258F1CE1D82F33D131D9166CCDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:45.155{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C39EE2AD1A2C1961A8E3931248C1FC0,SHA256=19051B2650B3333FC144E5B922188F11591437D1E5D7EC5994A74421FB50BB1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.689{EFF5EEA8-7D81-6352-C906-000000008C02}5722220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000238994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.560{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1711133638281057D5A2687672146232,SHA256=CB948AD5744F5CABD76123D85B3FD724252C2CB49E703E20437D9BD4CA4BAE25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000238993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.545{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D81-6352-C906-000000008C02}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.545{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.545{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.545{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.545{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.545{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.545{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.544{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.544{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.544{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.544{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7D81-6352-C906-000000008C02}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.544{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D81-6352-C906-000000008C02}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.543{EFF5EEA8-7D81-6352-C906-000000008C02}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000238980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.223{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55270E99E141E48FD3BB0B56E0897ED7,SHA256=CF336EC00D5572887AA81EF644685D2F179E4A7E482A37983F5CFC0EB40269C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000238979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.223{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CE7A80780D1E880BE9803F259B058E6,SHA256=D11D5DFC9D70E8A358BD0172E037F55EC9236D86064F1D32D975A7DD18C4DF86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000239023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D82-6352-CB06-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7D82-6352-CB06-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000239012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.888{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D82-6352-CB06-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000239011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.889{EFF5EEA8-7D82-6352-CB06-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000239010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.575{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB8E1C8500130133A2EEADC31C8CD1A,SHA256=B0E53D1B5E79CF02DB66AAF047259B23406374D299C2D18EFE816531F9EE5F07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000239009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.388{EFF5EEA8-7D82-6352-CA06-000000008C02}40361524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.998{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.994{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.992{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.988{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.985{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.981{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.977{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.971{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.968{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.964{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.960{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.959{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.957{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.957{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.930{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.923{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.918{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.913{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.910{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.908{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.895{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.856{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.852{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.849{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.833{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.824{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.798{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.793{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.779{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.769{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.767{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.763{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.761{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.760{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.758{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.757{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.243{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.242{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000362591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.240{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B037ACB097DADF39BF501105CB00954F,SHA256=D1149B8345E1D0E9D70AD27D39B7D250D9315ED0F89246A9FDBDAB87627B837E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.239{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 13241300x8000000000000000362589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 11:07:46.138{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXEHKU\S-1-5-21-2377329074-3944928713-608161882-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d8e53d-0x594c9e43) 10341000x8000000000000000362588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.138{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000362587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.138{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000362586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.138{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFcfa624.TMPMD5=A4670CABC14D7551C56556724DDE58F1,SHA256=5AA750D72DC98C3B2F0FD3674D91BD9CF2CE599A23918CA948117F1E8D66A72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.123{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\aborted-session-pingMD5=8117D2F4D6FF8CCBB106EFBBCBB9C6DB,SHA256=09709CBA4BA5976B160910741FA4887E8C7C376225C49DF6017336F370E2C1E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.043{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.043{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.043{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.043{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.043{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.027{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.012{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.012{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.012{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.012{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.012{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.012{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.012{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.012{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.012{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000362540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:46.012{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64846C1DA2479AEE66FE3F90C2A1584,SHA256=19922B120C2FBC310822CB8BB6C014C027C4221243E0F313E2BDF11F8F6D4FED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000239008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D82-6352-CA06-000000008C02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7D82-6352-CA06-000000008C02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000238997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.226{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D82-6352-CA06-000000008C02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000238996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:46.227{EFF5EEA8-7D82-6352-CA06-000000008C02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000239043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D83-6352-CC06-000000008C02}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7D83-6352-CC06-000000008C02}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000239032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.568{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D83-6352-CC06-000000008C02}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000239031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.569{EFF5EEA8-7D83-6352-CC06-000000008C02}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000239030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.427{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DF6806E42C4B55EE73568B52F7483F,SHA256=0796B05E9BD16B95853094FEBBD7999C076DDE8A8F89B7A65AD17F35088E60B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.309{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83574407AD2C4E0642536F4D736553C,SHA256=EB3121B0E133E2ABB7F5C4903DDBAC048B0449861E49AE6A3493B00730AD37C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.076{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.076{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.076{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.076{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.075{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.075{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.074{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.074{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.074{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.074{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.074{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.073{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.073{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.073{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.073{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.072{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.072{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.072{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000239029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.027{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D82-6352-CB06-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000239028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.027{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D82-6352-CB06-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000239027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D82-6352-CB06-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000239026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D82-6352-CB06-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000239025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D82-6352-CB06-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000239024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:47.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7D82-6352-CB06-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000362673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.072{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.072{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.072{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.071{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.071{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.071{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.071{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.070{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.069{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.069{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.069{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.066{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.058{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.058{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.057{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.057{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.057{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.056{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.056{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.055{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.055{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.055{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.054{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.054{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.054{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.053{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.045{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.044{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.044{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.040{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.038{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.036{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.033{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.031{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.027{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.024{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.022{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.019{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.016{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.012{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.009{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.006{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.004{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000362630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.001{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000239072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D84-6352-CE06-000000008C02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7D84-6352-CE06-000000008C02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000239061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.905{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D84-6352-CE06-000000008C02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000239060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.906{EFF5EEA8-7D84-6352-CE06-000000008C02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000239059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.546{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AED25B72B4D08C847657A18FB7C9E6,SHA256=99AA09B2F6CE0F32F48FF9446B6EFCAFC1C18B73E153D015FB8D979E366B3336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.410{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE91AEFDF5E52848CAD1D0D33F86D074,SHA256=D0FA709901084F45E93B76B68BE27EB55CAD535D8337A45B21513C6B54D81738,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000239058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.437{EFF5EEA8-7D84-6352-CD06-000000008C02}20041592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D84-6352-CD06-000000008C02}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7D84-6352-CD06-000000008C02}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000239046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.246{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D84-6352-CD06-000000008C02}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000239045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:48.245{EFF5EEA8-7D84-6352-CD06-000000008C02}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000239044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:45.438{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52341-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000362728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.110{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.094{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000362693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:48.041{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3577F404F31B838F657784C0734C0001,SHA256=B0A187643F3F727F6BCA0ECA96D4898AE398A411E41368B14FFF193CF35746C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.618{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0519DB3C3D137BF6FFFF689C50CECBC7,SHA256=A7FC6FD8827A20E3114BCB2A6BBA783AF4E7FF6582E37E5EA9B2191594490E68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000239087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7D85-6352-CF06-000000008C02}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7D85-6352-CF06-000000008C02}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000239076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7D85-6352-CF06-000000008C02}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000239075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.587{EFF5EEA8-7D85-6352-CF06-000000008C02}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000362785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:47.818{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59999-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000362784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.512{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F85F994EABBB7CFA1CD7045670BC63,SHA256=F7CE036D5A39A163C586EE55197AC64E1EB62EF62AD187D9380CE69257510EC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.166{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.165{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.165{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.165{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.165{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.164{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.164{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.316{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=31EDFD428520749C386B025C10E96F52,SHA256=7F45103E004C52C145874702689212E090682E3D222D8C070BF45975997D5E0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000239073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:49.069{EFF5EEA8-7D84-6352-CE06-000000008C02}40843184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.161{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.160{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.160{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.160{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.159{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.156{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000362739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:49.106{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D682D6457E256115E2C676B5006B292,SHA256=7035FDB2E0BC2719B8DB915B9D18FCF69FA2F80414A444A47D6B08C676F6E608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:50.802{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1B8B85F85452A896B75CD1742B8794D,SHA256=2E7D2AAAA7CC16268DE0DE53534C37FE730CB6C291AAC27889F1D1E07D8BFE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:50.708{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA38C6395F36EC091AC1B141F4878063,SHA256=DEE299A661669B034BF06FDEC6C91AB76E041C9CD549B556AC1864A01AEEE176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.930{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=3C5483879E9F5D80E9A1C51E6A0AD423,SHA256=B9F04311DFB2CBF33AA1E9CBF687B27E63D99D391229DF87B0F76AC38D26BA4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.614{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F820CF958F1209535AA93DF12F605A0E,SHA256=F48CC57B91EEB478A670879E7C370C7C534782E599ACFCFAAD4571501122C440,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.197{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000362786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:50.182{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17748924BA0DAF75040DE425E655EAC1,SHA256=AD30BE0D02C393BE0D14CCF858D4AE85F7CB2A5D233A60514EEAD5512F030747,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000239112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.996{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.993{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.963{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.957{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.950{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.940{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.927{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.905{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.897{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.888{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.861{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.839{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.833{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.826{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.823{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x8000000000000000239091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.784{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACF61CEC7B4E034F802107DB0AD3489,SHA256=4BEF4C968BE16902EC274201F235773BC1FB32407A3A799A97780E7A800FE901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.716{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B4D303C89F08000CECD2C11A33C8E6,SHA256=59F86113FC784746B884812BC7A5AD70AB56A3CEA317D4A32FF86D2688428323,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.246{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.246{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.246{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.246{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.246{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.246{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.246{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.230{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:51.215{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000362922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.802{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF53A4B0AE4FBDA9A91A8CCAC56C817E,SHA256=8D41883609801F1B887EAA527F755FE9D56EB9AFD9562D7C79C830D73CF17FF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000239120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:52.021{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:52.017{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:52.013{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:52.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:52.009{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:52.007{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:52.005{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000239113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:52.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000362913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.285{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.282{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.282{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.282{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.282{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.266{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.266{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.266{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.266{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.266{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.266{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.266{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.266{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.266{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:52.266{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000239122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:51.329{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52342-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000239121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:53.001{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378EB557672E3237E04463B04A48A176,SHA256=B838EE41C42B7E6A012CADC35F705CA4C4A93F38DAFDBAF3D36E9BDCA78DE467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000362967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.867{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6780639EEFB58E6AC9309D3344ED9A0B,SHA256=C14BF76F5FDA6C751263E035FE176156B4B73515D3762ED5C5D5202B7F5D2B91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000362966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.317{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.302{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:54.283{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CFA1406FD8B7B145955806D7298988,SHA256=247CEB4EBD7DD9C1C21DC859A7E89F51761660E3F064940E87E48223A23AE0AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000363012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.467{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8FA67CFB6858BB4A53573BF8676E49,SHA256=701BAEDD729739A7632047D3EE9AB6709EB6046FD72DE2C387C08DA29E4F2D99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.368{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.366{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.359{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.358{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.358{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.342{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.342{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.342{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.342{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.342{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.342{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.342{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.342{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.342{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.342{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000362968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:54.342{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:55.370{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D7E099C41C1F7334E30AB94904CA6B,SHA256=32A9EE0FD66C26248A837744A4F770D2DA14046D503AC1E9F7452A98B661DEDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000363059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:53.761{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local60000-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000363058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.585{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89EFB59A353B55A3467A634740BFC3E3,SHA256=AE3A0C94839FDE565BE377A57316C04C64B7D44946E307CA4E14C4352206A101,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.404{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.388{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:55.294{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-220MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:56.471{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31964A5D6958C566745B1472049406AF,SHA256=A4681A0108FA9EE50ACBB93385BD75459F86D11BF8C5CC07AAE3CDC7BF3BFABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000363105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.686{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA32BC43D44ED6C777DE1669625ACAD,SHA256=51308A340910BB261F7FB44A93E37F63D708DB323F00927E1E3C4CDB0E8B360B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.436{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.420{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:56.292{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-221MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:57.562{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691B16C55896E616542B6246B4E55EA5,SHA256=F834A2BEED3B6C87DD67A81730D127D137D26A36F6F30388B8D748BA71472C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000363150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.507{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D73BE0AFFB6927BA8887A8209AD6FA9,SHA256=4F0C123EE417637BA6E17B6BA7631BA92635F9EA97D7642D6EAC3592DC3DC555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.491{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.487{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.487{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.487{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.487{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.487{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.487{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.487{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:57.472{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:58.663{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC9C2949A45AF27883D456BC59EDFD0,SHA256=C0A4746D9AB28D8EDBB66C73B04651FF8F25B3B4F9FB0AE30FF68476CB630369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000363195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.890{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A884C08526A4574EE19903891B297A03,SHA256=5FF6C2B95E89F9D7A02D566E40CF23B59672EF14813EE5796CD1620869903778,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.524{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.508{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.975{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A102E2E8FC8FBB5F0E061338247EEFCB,SHA256=0D8E0C87B37DF532974BF8FD4235C3389FE0A5C2A50FDB705401E0F5329F92BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:59.746{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604DABB7222CFBEAC38674FE06A28B90,SHA256=D8EBDA73A287E250CBA7BACA67E732FAB678431F5209BBAF03658D7C30E1AFC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.575{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:59.525{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2006232A724CD63911424A10B09F6BEE,SHA256=64EBB6CDD98489EDEFF324A4DB55948D6B00C82B603A086D5C2A9FB690AE2D85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000363286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:07:58.833{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local60001-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000363285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.627{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.627{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.627{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.627{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.627{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:00.840{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3484EC7D637C710FD0707D4C897A7509,SHA256=C766B18A3AC86994CC4D2ACBC3850657951A735766B9B1F6BD23E36E6088917C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000239129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:07:57.276{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52343-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000363277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.612{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:00.596{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:01.927{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0608D1E2C9E9FC2DB9D0DB9DBD4AE8,SHA256=56DFA8FC994C53338D67B6FC16B910B1BE907298700521E57E14D1786A9BB623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.660{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.644{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.460{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5C63ACB61FBFFEF2617043FEF1227EDB,SHA256=B65275A0E279C2108FCA9C9151D9E1631E0F0DE443B780FA27FAF9ED950267B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000363287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:01.093{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F153EB296AE070CE7A131EF55ADDA9,SHA256=A3CBE4B04EBF4F621FF9F1EDCA0365A3971F40970D44AF923CB5CF6C3D148E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000363379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.832{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2C055449691F0509C93C7D0A4388E1,SHA256=C85AFAA749DDE03734E946E72C45E6E2C68498394A085F1AB186F92CBEF03D5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.715{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.699{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.695{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.695{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.680{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924E7B619992CC85802EB2F71A035FF1,SHA256=CA022A0FC481DD58532BFAA927D89549429A129E839CD07D5DD30808CDC9DF78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000363333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:02.195{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1058D65B36829649BF7AAFAFC8FFE0B,SHA256=47FB54187FF47A97BD920503E762F452EF671A379909C0F82D5A01353DF01763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000363450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.974{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=50A45E6A25E07ADB2A48C9F65866853C,SHA256=96C12F297F675964E925F7B489E5F5478E361BABA84B02F0F0A8D2951B6D8AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000363449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.875{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F12246CB9CA5F5B9D1D835417DAD09,SHA256=0547B732013D591AC433BAEEB5CFBF4B957C1632C9D34AC954930A46BD534E91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.798{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.793{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.790{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.776{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.776{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.776{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.776{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.776{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.776{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.775{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.775{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.775{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.775{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.774{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.774{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.773{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:03.025{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CCB1C55DE6D4FE0B23D81B3CC23178,SHA256=C3D739BC2A9A869D75D6672D3BD55AAF086D197588DDF9D2D57089EAC0E28786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.772{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.772{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.772{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.772{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.771{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.771{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.771{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.771{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.771{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.770{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.770{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.770{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.769{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.769{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.761{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.759{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.755{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.755{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.754{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.753{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.753{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.753{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.753{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.752{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.750{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.748{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16361090622A51A9AF7A2FDBF2C75D0,SHA256=405C39F1250A8DE2DE6458BFE40C3867693E16A6C47651865D4BB16FA64FF325,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.747{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.742{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.738{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.729{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.723{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.703{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.692{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.680{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.669{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.631{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000363386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.630{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.611{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.594{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.578{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.570{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.535{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:03.532{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000363498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.920{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A03793D6F6BBD3E1137A7CE3CA92FC,SHA256=BE6A0FC118C8B7413E5524E288B797B07BC7A85A63C48F8D70A1D1C7481EA985,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000239134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:02.456{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52344-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000239133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:04.120{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AB25EB7C5E9325E6EF27770A35E34F,SHA256=2EED50900B9449D1A817FB5DB51A700D9255470E4E86236B86BC16C84A499535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.804{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.800{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.800{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.800{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.800{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.800{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.800{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.800{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.800{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66A4430650DC4CBFBB4D97D396714C8,SHA256=2CDA4DAC7B5F3BCA15AEE267545A66DA34B4E5312FC36646AFFF80BF987F960B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.785{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.235{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.232{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:05.988{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B5ADFB3979639ABA040C72CC850CB78,SHA256=F829C79DA7AD858B56D35FC8103B83DF699C097480907B23ED03CB42F3FFF0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:05.211{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D715475B7E86217569FB52E8F5460E23,SHA256=AEB3B8C41B602ED40E68582ABBDCD11FD360478232EDA363603A95288CAFF9EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.841{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.838{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:05.822{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:06.322{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACD9D28CAE2CE45F741C6E5EEABEB9B,SHA256=14FBB73DEB9B46165A7E7F87629D0193ABF7E14C76179DFBB92E23679693D8B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.996{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.993{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.990{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.987{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.984{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.982{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.979{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.976{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.973{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.966{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.963{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.961{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.956{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.953{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.951{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.949{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.948{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.932{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.929{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.925{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.922{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.919{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.917{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.903{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.875{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.875{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.875{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.875{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.875{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.875{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.874{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.874{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.874{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.874{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.874{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.874{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.873{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.873{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.873{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.873{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.873{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.873{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.872{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.872{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.871{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.871{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.867{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.866{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.864{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.862{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.861{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.861{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.861{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.861{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.861{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.860{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.861{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.860{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.860{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.860{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.860{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.859{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.859{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.858{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.842{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.832{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.806{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.800{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.792{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000363554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:04.679{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local60002-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000363553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.786{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.784{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.780{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.778{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.774{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.772{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.771{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.256{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.255{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.253{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000363543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:06.001{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA707783AF36FCB850504676AC3FD67,SHA256=A4E0B6E9680354941C15B0335E5BC409488FA78DC1D8F91F477921B59FA9DB39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:07.415{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E18B0671D528F4A1F8BEB16BE09A2D8,SHA256=6DE2B43EEB51837794A98DEAB6010EA91E7090873BA2FD48604B9BB4D46F7460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.888{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.888{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.888{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.888{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.887{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.887{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.887{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.886{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.112{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15C7D6603A59C52BFCA6DD0DD222944,SHA256=9C5D5433703155BEF3599857A70E2025A259132B6510DFF30B88E30496103AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000363646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.106{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E272BBD513D98B48FB3F169F3B861BBB,SHA256=D61D0C4877A92D084CEBB592CFEE41DA9B6F8E828EE214B9B3F941312273763A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.054{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.053{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.053{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.050{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.048{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.045{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.043{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.040{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.037{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.033{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.030{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.024{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.020{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.010{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:07.006{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000363737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000239142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:08.726{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:08.726{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:08.726{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000239139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:08.514{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC5D78C154ED7D7F5FB97E662EE244F,SHA256=5E39962F71C7147B2B4B22A6B13D2B92960ACEF3398272D5F35FB2E5F437101F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.928{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F59F45793B46401E6E6263E13BAF9CC,SHA256=44D05D6308560850A9845AED86200A0112B147935123A22E23E9D653DA56552A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.912{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:08.171{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E2E19F0AC0F8CE5DE0D5198343B14C,SHA256=F9091A702695B76DA480D4AF7941DC65590439CFE23D307CC76F6CCFDA6DF851,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.975{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.975{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.975{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:09.611{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3715E2388825298AB2C4066AC184DD,SHA256=C5BFCCF8D0BC1184B8DED16830E69FCA21E278FB23107CE44025BD16A8005B59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:09.275{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4BFADEFACA71D6939DA8560ED72AB8,SHA256=1CD9E6C0811D9C5054F527A5F0805F3D19AE21E1CF609B81BA7A01270A471433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:10.705{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971C9A402B4C8176AE37C3255791CBFA,SHA256=51B55DB609BC216694DE1307F631B3114EE99464293131A57AD7B738C5F9F199,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.992{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.992{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.991{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.991{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.991{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.991{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.991{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.991{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.991{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.990{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.989{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.989{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.394{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E7F9CA6FD2CC882EF7EE3905EB0B41,SHA256=E5C29A8F86FBE9FBBAF57B3F09A87CEC54B4E58051723498560AE99B6FE9695A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000239164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.993{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.990{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.989{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.982{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.979{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.961{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.947{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.939{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.932{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.924{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.915{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.884{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.876{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.865{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.856{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.840{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.830{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.827{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000239146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:11.780{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8060C86EB862B4D3385FE1CE7CC8899,SHA256=D25A18A56926870628A8CC20918B2A914426BBC851C678FCFCE52EE61373CF24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000363828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:11.496{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09912186A93DDD9A03D9B74409E6F116,SHA256=B61C64DF7D4C249BD5671FB8433452C2DF1E63542E5067DD80FFADAB8BD86B96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:11.015{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:11.015{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:11.015{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:11.011{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:11.011{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:11.011{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:11.011{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:11.011{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000239145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:08.329{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52345-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000363819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:11.011{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.995{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.553{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C089338368A4062C86289AAA33E946,SHA256=8C00C854CF53532215380376D3F5D8F64B4A0B54E76FE2DF50DD2B7DBE127D9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000239175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:12.025{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:12.022{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:12.020{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:12.018{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:12.017{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:12.014{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:12.013{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:12.011{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:12.009{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:12.006{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:12.003{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000363864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.032{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:12.016{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000363919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.149{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F5AE5AEC797345218FEA9823F472CC,SHA256=4529203D102F5374DBA85BFD6235A37D1790099D8B2CD4367918FF3DD0F7DFB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.080{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.080{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:13.065{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1643ACAEA66A4DA7DB5BDCEDDD70EE,SHA256=F320CAB78BC828045A5A3E9C60A36258C461242AF9110F5F835B0F6D98AA19CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.065{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:13.049{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000363874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:10.674{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local60003-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000363964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.251{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D2C2EBF34FA0C5C882AA0C999AE77B,SHA256=54187BBCCBD25BAEEFDAAFF8842FE2E08D740C29FDA7EC3A55DE974B56942D51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000239181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:14.435{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:14.435{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:14.435{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:14.421{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000239177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:14.160{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6015DA40EF3988112888A99588C43C88,SHA256=F5B484A66FA0B997AFC297BC494CF47AD285E550BD9A25BEDD40A1CB37F7E86A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000363963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.119{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.119{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.119{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.119{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.119{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.119{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.119{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.119{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.119{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.119{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.119{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.116{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:14.100{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000364010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.337{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEBBE5231B9E313F823D2A1C09A3F39,SHA256=38914D5A4F4C8840589AAFD8D358CF28CC53662FEB2502E908C257DDE361907C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.337{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9E679FB911D43D96B3A386C825C21B,SHA256=EA89390838BD4E2BB422332545DF61CC12C19F132AB37960B124F4047F803229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:15.253{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE0C57D8F43590C8E38162D0C6632E5,SHA256=19DFF7B5C2F919304C31D1CCB7F9C74D635A38254A2530065B29053A81468FDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.153{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000363965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:15.137{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000364056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.454{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619E58FA7AC7E8155FBD0434406C5264,SHA256=8D8C5725B2BB5373A4993AB5FA9F0B9BCF2E0EE66A89B916C9E145294C3C14AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.454{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF182A50733A9B34A87976EDFADEDC8,SHA256=81788F7346DCCE4F795269AF990A4F1C9D862068E20C494016594761D9D34701,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000239184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:14.277{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52346-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000239183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:16.362{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BA2F112D684BD7D157A583617D1C9F,SHA256=A2FC47D2A48572F76A9189FA79F77793413964487EE916F8EC2DA65DB1D60B4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.203{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.203{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.202{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.202{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.202{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.202{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.202{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.202{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.201{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.201{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.201{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.201{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.201{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.170{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.170{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.170{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:17.456{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DD7BB0E1953FF5D03D116A5994E58B,SHA256=5EB8CE4DFF6A41069C658079E3A3B5FB07EDF16124B215272D86DC5350C048CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.577{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FFCA80D738B935935E527D27DDDB53,SHA256=266AB9685833EDE342E2A22D15756B58A4B9A24C3DC457469EA08870F344A616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.574{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6E8460D195EA856A8F57E417037469,SHA256=F15D22357233FD5471572F96CB885D92B3A7C8A9C274E9B26B4FA1D170C1AB6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.225{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.221{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:17.205{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:18.537{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE7E97BD0619170B3DCB7C8F8A3B65E,SHA256=B1F5C0C87FC1BFD0B32FFFAAD51DB4D20C3405DAE5E65D0186AB5735FE54703F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000364149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:16.699{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local60004-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000364148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.667{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4222756B10E61433D6A5A830C049266E,SHA256=B080BCAF05110C1C76D2E1019B0BEFD9FD57AAF4FA6B752D6702303844F41AFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.667{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F9969083490F579E9871D205F93C6E,SHA256=42EB1DD7C53125304978133D08362D7C0A8A4C22C6E08AA4BE1E4F841FB7F13C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.275{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.266{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:18.243{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:19.636{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3216218E4B2C0656D43CFB2F6575FF1,SHA256=77190C2E25391D0E4310C568B462877E39B26AC01F449E0F16523D83F69C07C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:19.605{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=05ACF5A3844A9C5794F3717FA9ED86D7,SHA256=493E7EAEEA99901018C9CD3D6EC55A96521FC6EA4DB097ED56ABEB1121B3EDBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.894{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.894{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.894{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.894{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.894{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000364195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.792{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08CF1D3F0DE37DE84F74040C2484C0F,SHA256=6CDC3AB72A5B601460950CFE5030AF281B2E922E7D621FC053E2612DDD2E5E15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.792{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC4AE1388F1B4B9F4A3D2D888E1DA5C,SHA256=073204C22331E9D43EFC9B6A3CC22539EEBE630DD15995CCF95D95E606FDE4B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.326{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.326{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.326{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.310{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:19.292{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:20.729{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E14E9E8FCF2D6FF179993F192E3A405,SHA256=0AFC6AF736211031D3A8EC69B64595EF03CCDDA760DF8D424934FB92C5461BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.912{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DAB6E7701F62078D38DBBD5C26618A,SHA256=8314BDC59DCE6E625AE0DC47C41C824C61D9FF16D3A96E1245A511D7A370E517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.912{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54B49A90A826ADE0B1B6219084A1E79,SHA256=1500A0532B9059AD390ED6814F013F57C86078FA496EF841B0E701071110C867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.896{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B000A29598583F17E7F484ACA4F42BE6,SHA256=C0387568DBC0186CED5799710EA08EFF910F0EF942977471343C9232F3EB5C2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.710{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.710{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.710{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.709{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.708{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.707{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.494{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.494{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.494{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.362{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.346{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:20.330{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:21.818{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBAADFD5A3D1E8029C951C465B62873,SHA256=A95C5FD1CA6C89A40F03C1C3616F47E83869724308C70FCCF78A187ADC4AC723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.530{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB927F2DD2F38B4A7B969754DB2AD66E,SHA256=31175310463FD0B3913645FB6A6669415384A71AEDC7C34B175EE3AE1E32070C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.395{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:22.905{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8352A08F632D70C9A000EC8DE6F8F062,SHA256=491A48E1797394E9962C2D62A9CDEB3D215CF986D39D075299D9313FAFEDDB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.699{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381D5FED5F77F28A6EDB0FA9D3FD09D3,SHA256=0FEFFE1BBB695E046C78B34C1F3376F1E07AC1E6AAD6CB493F669C5EADD7A708,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000239191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:19.452{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52347-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000364369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.451{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.435{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.415{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000364334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:22.096{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E69BD1FF83EAFF6B8A5BF23BF1B86FE,SHA256=3C1A910E1CD1405C8CE90A9D61EBE4DF43E883A32A306A686496515A5BE80253,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.838{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.834{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.831{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.825{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.823{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.816{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.809{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.804{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.801{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.799{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.792{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.785{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.771{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.762{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.750{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.736{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.684{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.660{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.639{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.627{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.606{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000364427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.562{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA28E102A5EB23C62B403DCFD9B72EFD,SHA256=E6CCD24E61B186A01FB6727A6065548698445408DEC478031B6ED0533B9029E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.534{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000364425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.523{30B46F62-486C-6352-2D00-000000008B02}27204100C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000177F2190) 10341000x8000000000000000364424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.500{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.500{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.500{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.500{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.500{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.483{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.468{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000364380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:23.183{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB9207BCCDB478768EAB2B1F5493650,SHA256=97F51F36544FBD4B9B3D6CF9929A180B6C3291A2C242D5A88DE29708B785BAAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.602{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FE37ED1EAA0F0BC102C6E6F14A1A12,SHA256=52BFD86FDD1D9ECE570E5182C1739B435DF41FA0B0E64F797BB4E2E5D1F6C3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.587{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276773EE18B7C15E5488E2FE07A2987B,SHA256=931EF4597C1F39BD25424A9A7BC34848C4955911F5F4C97944A04F478F2D4C9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.540{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000239194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:21.930{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-53029-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000239193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:24.105{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A968C32A885072F8EEE066EBC88B94D9,SHA256=8D3E6BD5ADBA5C9A1CCE53C75897E5BB4B8B5DCB8C3C4AFD9191BDC329130DFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.536{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.520{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.214{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:24.211{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 354300x8000000000000000364449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:21.794{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local60005-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000364543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.704{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87E386107625628521362D461330CB8,SHA256=3D66635E62954D920334707AE6572514C92692BE3569C0B393EAAFE99F43268C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.589{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.589{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.589{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.589{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.589{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.589{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:25.197{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75B0156639530C17DD6394860424251,SHA256=D161A1322DC03D9BDF2B9D26D19EE1B26F3CE6BBBB48E82DD74ECEEF15EA5D3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.573{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.557{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000364498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:25.341{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC6A627CC7E99C1DC1B78D1CC138609,SHA256=53B3CDF0274D5C7892F4D69067A6ADD1ACD992223B8395BCA2FA7F52B8465B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:26.309{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5349C34A164A07A8CF9786BBB30304,SHA256=FA3693DC7684624E2EFCECC4DB53235F4A0490FAF6F19F54540F50A67679B56D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.992{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.990{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.985{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.981{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.978{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.975{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.963{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.914{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.913{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.909{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.880{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.866{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.837{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.827{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.814{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000364606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.807{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3137D96E0978AA8515283987022269,SHA256=64AD30348AE1E0847420A5D610812F1428EB9690D8BAB47A9B5956DD898A5491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.807{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.805{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.749{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.747{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.746{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.743{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.742{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.624{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.622{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.606{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000364554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.424{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7ECD8235BCD3666907586D4E91F1DCB,SHA256=C91039CB5A6DF1D42104143D3384F6DD52543589B725389B58462A955B1774C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.225{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.224{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.221{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 734700x8000000000000000364550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.023{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000364549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.020{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000364548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.015{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000364547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.012{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000364546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.010{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000364545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.010{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000364544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:26.007{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000364749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.977{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46FBDD31E11A531F4EEFB1E8F7EBAD9,SHA256=E00BD0CAA5FF6A52EDD816A9C5C6E1FEC0C0BA6C977FBD577A7C16D824270BD2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000364748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.883{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000364747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.883{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000364746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.883{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000364745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.883{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 23542300x8000000000000000239197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:27.403{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A12402612B6F8BAEED0B80CB50A8A31,SHA256=03E8F957C66865C9981364B2D8947F86136BEACC75890DDFCB8C80BDC03F7054,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000364744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.883{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000364743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.883{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000364742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.883{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000364741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.883{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000364740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000364739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000364738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000364737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000364736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000364735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000364734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000364733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000364732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000364731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000364730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000364729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000364728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000364727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000364726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000364725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000364724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000364723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000364722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000364721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000364720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000364719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000364718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000364717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000364716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000364715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000364714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000364713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000364712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000364711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000364710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000364709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000364708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000364707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000364706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000364702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000364701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.867{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000364700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.863{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B23B7A29DF95F76A835466A99218DA,SHA256=F0961949C93A5AEC55E3A43F3D4FCC650B52846A749B740C54F634EA4D96694E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.677{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.661{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.645{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.645{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.645{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.645{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.645{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000364655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.508{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B50936007DA87A43F3D60CCB6CD2E7,SHA256=4570C70D70F38D85DEE0B2817AFB5A61C37DFE742823001FD02E21F0E7C2A4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.341{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B973710EF686141DBE92F549D0079970,SHA256=05AE56AC28449E6EB9C2F925AD3D4A154D05887C45C042740BD674DC4A9C07BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.097{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.096{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.095{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.093{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.091{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.089{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.087{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.081{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.077{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.075{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.072{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.070{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.067{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.065{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.062{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.059{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.056{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.053{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.051{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.048{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.045{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.042{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.039{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.036{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.032{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.029{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.026{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.023{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.017{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.013{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.012{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000364622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.011{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000239200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:28.496{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D45ACAF2F2E616E063AF5F8F6127B02,SHA256=560EB1E123AF6540B4A276B0E9158B4F6BD70BBEA0BB450B6F07219E9ACC2025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:28.496{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF20083096A76D0432476C42073A3485,SHA256=4C508CFA41E73172D9A9D15F142AD2D1D04F3F58D3B891104430796E70FBFE5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.747{30B46F62-7DAC-6352-1608-000000008B02}77645416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000364847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.747{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000364846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.747{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000364845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.726{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.725{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.725{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.725{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.709{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.694{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000364801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.594{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DB0D9072C5BE33A6D9D61E56692DD1,SHA256=858500C54DF77364D5B85D2B276624FD92375E7F794F807DA4365C5B7B8AEB2E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000364800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.562{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000364799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.562{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000364798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.562{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000364797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.562{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000364796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.562{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000364795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.562{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000364794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.562{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000364793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.562{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000364792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.562{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000364791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000364790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000364789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000364788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000364787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000364786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000364785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000364784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000364783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000364782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000364781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000364780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000364779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000364778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000364777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000364776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000364775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000364774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000364773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000364772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000364771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000364770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000364769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000364768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000364767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000364766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000364765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000364764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000364763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000364762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000364761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.547{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000364760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.543{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000364759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.543{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.543{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.543{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.543{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.543{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000364754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.543{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000364753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.544{30B46F62-7DAC-6352-1608-000000008B02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000364752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.061{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000364751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.061{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000364750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.061{30B46F62-7DAB-6352-1508-000000008B02}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000239198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:25.360{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52348-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000239201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:29.600{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79647E33099252643AFA0CCE108B578D,SHA256=E4E16124B263811D4FEDA358D65DA43796D3E1ECF4DD1B4D9D25491FF260F610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.829{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6A4A22539B920E7B3999D1A02A3B11,SHA256=24E69E6CA25E991718EBB8535EE9FF549A1D27262687BC370556987656DEDC7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.748{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.745{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.729{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000364908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.695{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF1584791253D165149C65C2E07DDDB,SHA256=975F57B6D13D3D98ABB29A9ED8F5B22F8B0E62992A03EF0AFE6A669FE1533762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.645{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE177AEEE66FEEA8A164D59F19F8F1BA,SHA256=D2054391DDEAFE3DC4D1C39D740C46C4FE09AF52EF305C9D094227753D1F4B82,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000364906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.279{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000364905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.279{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000364904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.279{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000364903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.099{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000364902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.099{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000364901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.099{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000364900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.099{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000364899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.099{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000364898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.099{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000364897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.099{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000364896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.099{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000364895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.095{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000364894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.095{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000364893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.095{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000364892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000364891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000364890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000364889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000364888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000364887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000364886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000364885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000364884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000364883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000364882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000364881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000364880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000364879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000364878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000364877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000364876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000364875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000364874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000364873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000364872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000364871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000364870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000364869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000364868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000364867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000364866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000364865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000364864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000364863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000364862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000364861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000364860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000364859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000364858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000364853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000364852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.086{30B46F62-7DAD-6352-1708-000000008B02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000364851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5295F7216473DF97DD6E2FEFB20F9212,SHA256=1C2AA52AA4ADE05D9AEBE75516656C9BA40223BA10C6C7E4A4D3D8F9620BDF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1272C2D216CBAFAAB47440E4393CA967,SHA256=2E2FB0A6E1C96347751DFC84723BAF7D3DAFCC6F821C5EAC689AB9CB259AC02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000364849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:29.080{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1F8C27333C926B2A10A7908776C7DBCF,SHA256=9A80D3525CBB22387C28C7829EB5C26F2EDC665F6165DF861F616980FDC366F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:30.686{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344D78BDF39A0E06D84056844055C5AB,SHA256=83D90BB711BE927294666BBA693528C226DE7AD36B0C1BD49B4BEB563E2AF40E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000365001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:28.455{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.205.25.54ec2-34-205-25-54.compute-1.amazonaws.com59640-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local3389ms-wbt-server 354300x8000000000000000365000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:27.686{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local60006-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000364999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.913{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D81D1C722C70D0F9167C66E8AD5B53E,SHA256=1B837BD5281368818E6F0DDA49D467EA4D03AFD5689C61F233961322712690BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000364998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.797{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000364955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.781{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000364954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:30.665{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04F1AA7292EC7B03C31B5B33D1B4B22,SHA256=A9C6C799707EFE053C492BD101579A2022AEBEB282F0C62D72F36D19218F1643,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000239231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.998{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.996{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.994{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.993{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.991{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.990{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.989{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.987{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.985{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.982{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.974{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.972{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.970{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.965{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.962{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.951{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.945{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.938{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.930{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.921{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.911{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.876{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.865{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.855{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.847{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.835{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.822{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000239204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.818{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000239203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.774{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B99AE003EBBBC5606586BB22215B6A,SHA256=3EE876782BE81B1B838F5A5A58300F3B2AEDBFA2FF64FF3E4B978C2D68C2ACB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.862{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B6675F523DDE374DEE49F295900C6C,SHA256=C4BF6ED58D8124772D8426BEEF71AEBB419C8B8D71E98D1B08FF61BD2EB4E23B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.861{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.861{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.860{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.859{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.853{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.853{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.853{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.851{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.851{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.851{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.850{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.850{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.850{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.850{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.849{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.848{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.848{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.848{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.848{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.832{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.831{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.831{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.831{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.830{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.830{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000365054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.498{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000365053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.498{30B46F62-7DAF-6352-1808-000000008B02}53725600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000365052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.498{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000365051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.498{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000365050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.498{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CF226E39F4DFBAEC866BB2D43B19AEAE,SHA256=A62890B9C679CAA9691307DAD4112BAFC0ABBC22129B17EDE1A662C41D8E3B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.467{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DC94A964965923D030C1DFAFAF733B,SHA256=BEB63AE5D9C6CB0E513963ACA0CDD9A839868E2A5C21E6CE873AE33EDCFDBF6E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000365048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.332{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000365047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.332{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000365046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.332{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000365045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.332{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000365044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.332{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000365043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.332{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000365042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.332{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000365041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.331{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000365040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000365039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000365038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000365037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000365036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000365035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000365034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000365033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000365032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000365031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000365030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000365029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000365028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000365027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000365026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000365025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000365024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000365023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000365022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000365021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000365020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000365019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000365018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000365017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000365016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000365015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000365014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000365013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000365012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000365011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000365010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000365009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000365008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000365003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000365002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:31.314{30B46F62-7DAF-6352-1808-000000008B02}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000365145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.898{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFEF34589804F6AE4199823F90BCDC85,SHA256=D165B86FB3A5031B65156916FA80592453F578BB547C4F14733A43D43D77040A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.891{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.891{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.891{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.890{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.890{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.890{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.890{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.890{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000239232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:32.001{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000365136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.890{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.889{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.888{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.888{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.888{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.888{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.888{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.888{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.887{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.887{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.887{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.887{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.887{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.886{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.886{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.886{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.886{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.883{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.877{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.876{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.875{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.874{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.874{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.873{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.872{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.871{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000365100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.048{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD31CBEE28C562D23ED9D12D5C961C1,SHA256=EC2987201CE1CDE4F402BA2D54AC056E61CFB7AA537EBF327D6BDEBD2548D1FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:33.166{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF230A88DA79B920E5EAB8C15CF4F3E8,SHA256=96A0AADA41D35B0B057EFE275D627EE3AB2316D3779C5E40110F619DEFBC5064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:33.151{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.922{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.922{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.922{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.922{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.921{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.921{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.921{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.921{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.921{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.921{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.921{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.920{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.920{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.920{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.920{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.920{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.919{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.919{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.919{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.919{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.919{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.919{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.919{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.918{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.918{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.918{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.918{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.918{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.917{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.914{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.908{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.907{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.907{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.907{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.907{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.907{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.907{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.907{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.907{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.906{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.906{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.906{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.905{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.905{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000365199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.886{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000365198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.886{30B46F62-7DB1-6352-1908-000000008B02}98847512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000365197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.877{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000365196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.876{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000365195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.655{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000365194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.655{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000365193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.655{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000365192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.655{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000365191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.655{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000365190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.655{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000365189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.655{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000365188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.655{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000365187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000365186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000365185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000365184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000365183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000365182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000365181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000365180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000365179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000365178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000365177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000365176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000365175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000365174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000365173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000365172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000365171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000365170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000365169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000365168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000365167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000365166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000365165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000365164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000365163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000365162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000365161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000365160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000365159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000365158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000365157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000365156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000365155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000365154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000365149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.636{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000365148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.635{30B46F62-7DB1-6352-1908-000000008B02}9884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000365147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.154{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.134{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B294AC29737A397567134427081153B0,SHA256=C491B2D65B8C7A7EFC9A29CB9DA11E4B771A28780D2CDC0F9B5DC93D943E29E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.948{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.948{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.948{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.948{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.948{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.947{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.947{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.947{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:34.277{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D5153D2A8BB95C92BDC73B20E18E82,SHA256=85F88BB943FFDB50C09423373D764C55C1EC8BE08B5E28B48D2F04328E744252,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000239235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:31.354{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52349-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000365382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.947{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.946{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.946{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.946{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.946{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.946{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.945{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.945{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.945{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.945{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.945{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.945{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.945{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.944{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.943{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.943{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.943{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.940{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.933{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.933{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.932{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.931{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.931{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.931{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.931{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.930{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.929{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000365346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.835{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000365345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000365344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000365343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000365342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000365341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000365340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000365339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000365338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000365337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000365336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000365335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000365334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000365333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000365332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000365331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000365330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000365329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000365328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000365327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000365326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000365325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000365324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000365323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000365322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000365321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000365320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000365319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000365318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000365317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.820{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000365316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000365315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000365314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000365313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000365312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000365311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000365310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000365309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000365308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000365307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000365306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000365305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000365300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.804{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000365299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.805{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000365298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.719{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF7DC8BC04E830A10A99541DE3B985F2,SHA256=13F1250FFA3656B89E7EE8257E7EBD393736D650AF1F106AEAA9E04012423153,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000365297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.318{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000365296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.318{30B46F62-7DB2-6352-1A08-000000008B02}80888740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000365295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.318{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000365294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.318{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000365293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.287{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B5749101E06AAAB9B9BBF6460C6F23,SHA256=4ECAABC1E156473A118FE77E30F5DDA80E6D186B3D031A381759A19DCFC2426A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.271{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDB1F56877648C39BE10EE0A5EB1135,SHA256=C40A2A9BB85207B13C83F14BA25A15A2CB97027434A4CC852F12910F3B682FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.252{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77073D9493B330FBA07082F7507E03DC,SHA256=88E432BFF34198C7426846BB76D4C1E9D31B5C4607BA53C18FEF9BA5F3547EDB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000365290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.156{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000365289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.156{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000365288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.152{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000365287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.152{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000365286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.152{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000365285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.152{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000365284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.152{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000365283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000365282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000365281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000365280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000365279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000365278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=C8B96CA44DE99A4F29C4A1B15BDE0D5D,SHA256=6F1D831DC53DD0CC8602017A845874C600B893CEF6A923A6E6FB7587E9650442,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000365277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000365276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000365275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000365274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000365273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000365272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000365271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000365270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000365269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000365268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000365267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000365266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000365265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000365264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000365263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000365262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000365261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000365260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000365259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000365258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000365257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000365256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000365255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000365254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000365253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000365252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000365251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000365250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000365245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.136{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000365244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:34.135{30B46F62-7DB2-6352-1A08-000000008B02}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000239239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:35.699{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=667A46D04F8C1B16AEB3FC11F4DBCCC4,SHA256=B1E224E80A21DCAE80C22E7F52598142F53C8C5A3F5C93D8C3B8C8FCE755E23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:35.377{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B262EF46AAD037BA7BA98BB9599124,SHA256=36938BCF60CAAD90D99F4DA75ED5772CA35AF3AF6315B498193973D034EFDACC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000239237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:32.379{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52350-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000365449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.980{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.975{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.975{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.975{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.960{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000365405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.274{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBA1A799C5242325202F5DF77C87F0F,SHA256=F2C1FBF374476655BB248E50D95D2455AC5A4A1AC7D584EAE17AD5FFF4E4E2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.174{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=4878DE869C0F533219C1DEE49990BFFD,SHA256=4BE415B7E9555560D9635DDF8092EA4EA106AE63EFDDEE12F77DC49CBE147DC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000365403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.297{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60009-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000365402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:33.297{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60009-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000365401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.829{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local60008-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000365400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:32.776{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local60007-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 734700x8000000000000000365399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.021{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000365398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.018{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000365397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.017{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000365396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.009{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000365395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.009{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000365394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.008{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000365393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.008{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000365392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.008{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000365391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:35.007{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7DB2-6352-1B08-000000008B02}9320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000239240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:36.361{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00A570B8C2B3487D5E626D7D50A8BB3,SHA256=5F700158B71BDF6928D37C1F578D410347C4B35C4E259C41035EA0424296DE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.357{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED328CE0B8AFB3DEB9F95F94E8BA432,SHA256=58ECB34C9338410DB600B8CD0060807662F22FCBF2DD5851EA1CCF7B7013DA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:37.449{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035201B41CFFDEFF25A0F75768757E41,SHA256=B8D3E02D6CBB92DCBA3833290EF955800FD101C516BEB8BAE36B36A32566311C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.463{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA56A3A917815D034C630A8785824CA9,SHA256=774FE62D60F3B57A2DBC8008CBDC01AB8E9C74BA90F4BDC4DF0A8C3934F469EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.459{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09132BEC4D6C93AA786A72E86F4C0E72,SHA256=1757AD915362B0933C12674434B3F86FDA910FABE161BDCDB3507323F71BB9CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:37.009{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:36.993{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:38.548{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F3BCE87555160DD1A962BD2EAB7C03,SHA256=3E9C7A462B0F1B273F2F8486D1DA064C2C94778CEEA2C6599B2800C13149D80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.565{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170613CCA023D875A2B10B5E9462BB82,SHA256=227E9A92899BD1DED74B12C3CFF85EB23D41585D24078A9FDDE370DB262E35EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.561{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5295DA5718216F81D6EFB8E16F3F4818,SHA256=026A4EEB8B0CE1FD72340BED6B9DD10021B7D5DD1FCC60F79B4F8D1ABD6F078B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.044{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.028{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:39.651{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB49CAD8189F9E94EA4747693D0C7253,SHA256=88E85599147E21748CF84CEAEFA7B9F15DCE7DFCFBD69AF416E6E5D8EC46EB89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.628{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F515C2A633406F26DDB6D476DF2F5E76,SHA256=BCE57802E7A47DDEA565D6C677F5B19C4FF8A514B0AF2FF12764E996B4DCD562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.181{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=578C8C3514D0ADA18AF456A8B12E4AB6,SHA256=39FF69C78177B254C8644548FE800CFD5DEB835D81BA5E91F48C5A906C29793D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.161{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D104307D023F4874465AF7896F7BD6ED,SHA256=97C8DAC9A8A487E9B37626E688A893696164331B1661DABF3069325E9F159BC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.090{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.090{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.089{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.089{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.089{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.089{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.089{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.088{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.088{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000239243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:36.469{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52351-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000365577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.087{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.086{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.086{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.086{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.086{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.085{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.085{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.085{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.085{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.084{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.084{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.083{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.083{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.083{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.083{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.082{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.082{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.082{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.082{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.081{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.077{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.071{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.071{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.071{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.071{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.070{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.070{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.070{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.070{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.069{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.069{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.069{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.069{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.068{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:39.068{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:40.749{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419B53FDFC4360B588F87925FF235F4E,SHA256=F5BAF81A5206C04BB754D43BFAEEEFCD5499334710A61B1C26289E55D29089BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.699{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CB27E3C1ACE1C35F0D4977EA5B2439,SHA256=EAE4554C17EE37F6AF78847324C7772A336CA7AC1B1C6F604600C89FBAAB06D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.398{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583C2C4EC2D91D764DEB8C26EECBEB9E,SHA256=4A61F33C8846F3244FFFD2171BDCBE1B2795FA5A99BBB06631DEAED3FEE1239E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.129{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.129{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.129{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.129{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.129{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.129{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.129{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.113{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.097{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:40.097{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:41.832{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845C222089841EBB774A1F032252F1BD,SHA256=4F729F4BA002A7D652D003479D5AAE73722B804A8ED08A530B3B1FFE7B9308CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.769{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDE49E9547CF328219C5F0BDE5C2CCC,SHA256=625470A8453C9A660A8C3A459983BF08C40123425C8E4A8CA1C3A068D7B6F344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.315{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F607B2389FC76B5A8FF17340868041,SHA256=5BC0EA5EAF6A7B8BCE8935A27E910ACFFA5A917D1DD99B91A559129147D2EE41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000365680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:38.691{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local60010-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000365679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.164{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.164{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.164{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.164{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.164{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:41.149{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000239247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:42.935{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14AC32405B28BE4905CAE71042C5583,SHA256=D5C36BA03DBD8A7825E484199531A7F3284728A6FBE2B5080DF89E9EFB9D4BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.817{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1541A1AD6E03104321517BCAFE8FE8E8,SHA256=9A2A684E7E4320EB90E68013AA59F8C7C8BE4E22EB8C3AED3DBAD555F3E40C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.532{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C479F82077ACEAAF88878EAB0A54305,SHA256=7217480AAC3CFCEA43BC5439EE69556ED28E8099DD7A1B93F0322C06C398111B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.200{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:42.185{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000365797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.955{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B441F711B1D7D1D4B4C24A759CEBE3E1,SHA256=04721815600644642A937F803D64B0B26BFD5143EAF68F6DC1B926ED03D95178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.792{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.786{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.783{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.777{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.775{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.765{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.756{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.753{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.748{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.746{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.739{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.726{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.712{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.702{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.690{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.681{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.630{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.618{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.604{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.589{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.577{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.537{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.526{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000365773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.387{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01659521695B0062A99C461F029DC351,SHA256=6CC85559A5B271BBBE075D5F1B6CCFC41FD439AD39DEB3A07D95471D7CDD5843,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.233{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.218{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000365844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.490{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45556FF9C1F5BA046CAD9108433891C,SHA256=EAADC0B0851A37B06904B92D5976A002C61DE310785CD1451E71DBC8B66993D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.274{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.274{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000239249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:42.408{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52352-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000239248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:44.036{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0958D3656E63BE6E6DC253454B056308,SHA256=93B887D43DEB7BB9F4EAAF8A253E433AEDA597209630EB268CC03751074503CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.270{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.255{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.216{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:44.213{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000239265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.742{EFF5EEA8-7DBD-6352-D006-000000008C02}33283028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7DBD-6352-D006-000000008C02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7DBD-6352-D006-000000008C02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000239253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.550{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7DBD-6352-D006-000000008C02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000239252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.551{EFF5EEA8-7DBD-6352-D006-000000008C02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000239251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.128{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFA124CAD024B40AC552C011ABC6A41,SHA256=4C4433DD8D62BBDBE9478114C31726F5CD0AB09DF05CE3F3307AD9FBFB4C7845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000365890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.572{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7288D5388229583FAABDD36676C8F81F,SHA256=8BC17A604B587AD799B5327C94619F0A172CE1746F1EC30A1903BB110FF68072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.322{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.322{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.322{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.322{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.322{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.322{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.322{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.322{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.322{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.306{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.291{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x8000000000000000365845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:45.122{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA293EEA96B97C20AFCA8C9BD4FE7D0,SHA256=47C1325466D457C97EA4A5DACD09972E1960A3A572E0DE86695B0A0B76364215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:45.034{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-221MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.997{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.993{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.989{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.985{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.980{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.979{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.975{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.958{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.955{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.950{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.946{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.942{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.938{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.920{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.877{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.875{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.873{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.851{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.839{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.806{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.796{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.784{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.771{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.771{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.764{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.760{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.759{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.758{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.757{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000365940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.492{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2C51896E10A5D34307645B66B09A6B,SHA256=F984905B85878847E8D98D1C5C9DCF257BF260303D230741252F9612D2DB57BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000365939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.380{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.378{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.377{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.373{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.373{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000239296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7DBE-6352-D206-000000008C02}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7DBE-6352-D206-000000008C02}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000239285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.761{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7DBE-6352-D206-000000008C02}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000239284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.762{EFF5EEA8-7DBE-6352-D206-000000008C02}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000239283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.679{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DCB5348EF218A8EFF04BCA9A03F5E581,SHA256=FF8FFC6C4AC5926815D1B32F5E22A5228107ECC6FE53D3972EB1D59CEF58C5FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.649{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8220B12F78311CF82F0053B7DEC2F6B7,SHA256=31D37EBB0D08F00DA7C020EA91EEBE08DABFBB0C4DEA1B040864786E8D3B8B16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000239281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.421{EFF5EEA8-7DBE-6352-D106-000000008C02}14802072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000239280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489C2B6D414F4C2DA7C19B2F0B852111,SHA256=D6DF1A2C7355AF7F182AB94607310CD7DF98550E7711FA6EC712C5FE3F796594,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000239279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7DBE-6352-D106-000000008C02}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7DBE-6352-D106-000000008C02}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000239268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.229{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7DBE-6352-D106-000000008C02}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000239267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.230{EFF5EEA8-7DBE-6352-D106-000000008C02}1480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000365928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.357{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.339{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.243{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.242{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.239{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000365892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:46.139{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E10233EE8FC0E738B1F1DACD21D655,SHA256=C0BF4F32963C23CEDE980DC9A0A8B03A526202A93D20060D66C58DC76BD37901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000239266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:46.040{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-222MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000365891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:43.863{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local60011-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000366041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.594{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225CDE877C6FB10AFCD5695F739E3238,SHA256=0CF07AEAD720D9EE6034834CD6BFDE6D93E5138721412FAF9B20130267F62825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000366040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.578{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED7DF442D4FC0A8CF401D71E0DCB96C,SHA256=925AD3BDB9942F0FD27663689F07BAE34469C0A58359658B8113DB3B6A740079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000366039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.574{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6675BC3C637047E82D2651C0209CB861,SHA256=811F45C3164D20AD547F2E62ACDF32316EA99F096404FA8C67A7466BC6C7959C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000366038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000239311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.613{EFF5EEA8-7DBF-6352-D306-000000008C02}3403440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7DBF-6352-D306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7DBF-6352-D306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000239299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7DBF-6352-D306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000239298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.394{EFF5EEA8-7DBF-6352-D306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000239297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:47.391{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02CAF7E71FB39E349D654D4192BDF51A,SHA256=977653A2403D8732E1C7408A689484ED56251EDC170F7A46B10A05CBCAA4BE16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000366030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.409{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.393{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000365994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.105{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7D2B-6352-0608-000000008B02}9496C:\Windows\SysWOW64\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.103{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.103{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.100{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.096{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.092{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.088{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.084{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.079{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.075{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.069{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.065{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.062{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.057{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.051{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.046{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.040{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.034{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.031{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.028{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.024{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.021{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.017{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.009{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000365970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:47.001{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000366086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.677{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB71A2205051194F8130346006BE61BF,SHA256=4FB08786FC6FD04D365905349BAF08DC0BD76B38A7D4F560DB02287C3AFC34B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000366085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-FA07-000000008B02}6568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7CF2-6352-F907-000000008B02}5508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.443{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000366042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 11:08:48.428{30B46F62-7D2B-6352-0608-000000008B02}94969348C:\Windows\SysWOW64\explorer.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|UNKNOWN(00000000006ABC22)|UNKNOWN(00000000006AF67F)|UNKNOWN(00000000006ABD2E)|UNKNOWN(00000000006AF6E1)|UNKNOWN(00000000006A5C31)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000239325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.181{EFF5EEA8-7DC0-6352-D406-000000008C02}30482436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7DC0-6352-D406-000000008C02}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7DC0-6352-D406-000000008C02}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000239314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.009{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7DC0-6352-D406-000000008C02}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000239312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 11:08:48.010{EFF5EEA8-7DC0-6352-D406-000000008C02}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service